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Abstract 

The Quantum Fourier Transform and Extensions of the Abehan Hidden Subgroup 

Problem 

by 

Lisa Ruth Hales 
Doctor of Philosophy in Logic and the Methodology of Science 

University of California at Berkeley 
Professor Umesh V. Vazirani, Chair 

The quantum Fourier transform (QFT) has emerged as the primary tool in quantum al- 
gorithms which achieve exponential advantage over classical computation and lies at the 
heart of the solution to the abelian hidden subgroup problem, of which Shor's celebrated 
factoring and discrete log algorithms are a special case. We begin by addressing various 
computational issues surrounding the QFT and give improved parallel circuits for both the 
QFT over a power of 2 and the QFT over an arbitrary cyclic group. These circuits are based 
on new insight into the relationship between the discrete Fourier transform over different 
cyclic groups. We then exploit this insight to extend the class of hidden subgroup problems 
with efficient quantum solutions. First we relax the condition that the underlying hidden 
subgroup function be distinct on distinct cosets of the subgroup in question and show that 
this relaxation can be solved whenever G is a finitely-generated abelian group. We then 
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extend this reasoning to the hidden cychc subgroup problem over the reals, showing how to 
efficiently generate the bits of the period of any sufficiently piecewise-continuous function 
on 5R. Finally, we show that this problem of period-finding over 3f?, viewed as an oracle 
promise problem, is strictly harder than its integral counterpart. In particular, period- 
finding over 3f? lies outside the complexity class MA, a class which contains period-finding 
over the integers. 



Professor Umesh V. Vazirani 
Dissertation Committee Chair 



i 



To Samantha, 
a faithful friend. 



ii 



Contents 

List of Figures iv 

1 Introduction 1 

1.1 Outline 3 

1.2 Notation 3 

1.3 Qubits 6 

1.4 Circuits: Classical vs. Quantum 7 

1.5 A Quantum Circuit Model 13 

1.5.1 Arithmetic Quantum Circuits 14 

2 Quantum Fourier Transforms and The Hidden Subgroup Problem 22 

2.1 The Discrete Fourier Transform 22 

2.2 Simon's Algorithm 27 

2.3 Generalizing Simon's Algorithm: The Abelian Hidden Subgroup Problem . 29 

3 Computing the Quantum Fourier Transform 33 

3.1 The QFT over Zn, N Smooth 33 

3.2 The QFT over 35 

3.2.1 The Classical FFT 35 

3.2.2 The QFT over 37 

3.3 Quantum Chirp- Z 38 

3.4 Eigenvalue Estimation 42 

4 Parallel Circuits for the Quantum Fourier Transform over 45 

4.1 Fourier Phase Estimation 47 

4.2 Quantum Fourier State Computation 51 

4.3 Copying a Fourier Basis State 51 

4.4 Putting it ah Together 52 

5 An Approximate Quantum Fourier Transform over an Arbitrary 57 

5.1 The Algorithm 58 

5.1.1 Size and Depth Analysis 60 



iii 

5.2 Fourier Sampling 62 

5.3 Fourier Sampling and The Hidden Subgroup Problem over Z 64 

5.3.1 Proof of Lemma 3 67 

6 A Relaxation of the Abelian Hidden Subgroup Problem 69 

6.1 Definitions and Main Theorems 70 

6.2 Finite Abelian G 72 

6.2.1 Proof of the Reconstruction Lemma 74 

6.3 The Relaxed Hidden Subgroup Problem over Z 77 

6.4 Finitely Generated Abelian G 78 

6.5 Proof of Lower Bound, Theorem 5 78 

6.5.1 Proof of Claim 1 81 

7 Hidden Subgroups over the Reals 82 

7.1 Overview 84 

7.2 The Algorithm 86 

7.2.1 Proof of Lemma 5 89 

7.2.2 Proofs of Lemmas 6 and 7 91 

8 Hidden Subgroups over the Reals and MA 94 

8.1 Quantum vs. Classical Complexity Classes 94 

8.2 MA 96 

8.3 Period-finding over 3? is outside of MA 99 

8.3.1 Proof of Lemma 9 105 

8.3.2 Proof of Lemma 8 108 

9 Fourier Transform Theorems 109 

9.1 Fourier Sampling Lemma 109 

9.1.1 Application: An Approximate QFT over an Arbitrary Modulus N . 112 

9.1.2 Two Claims 113 

9.1.3 Proof of Theorem 9 115 

9.1.4 Proofs of Claims 2 and 3 116 

9.2 Fourier Transform Theorems 117 

9.2.1 Proof of Theorem 10 119 

9.2.2 Proof of Theorem 11 121 

9.2.3 Proof of Claim 4 122 

9.2.4 Proof of Bound in Claim 4 124 

9.2.5 Proof of Observation 2 125 

9.2.6 Proof of Claim 5 126 

Bibliography 127 



iv 



List of Figures 

1.1 Quantum Gates: Hadamard, Rotation, Controlled Rotation 14 

1.2 Quantum Not 16 

1.3 Toffoli Gate 16 

1.4 Controlled Not and Quantum Copy. 17 

1.5 Quantum Addition 19 

1.6 Quantum Multiplication with Remainder 20 

1.7 Quantum Multiplication with Inverse 21 

2.1 QFT over (Z2)" 26 

3.1 QFT over e.<„Z^, 34 

3.2 QFT overman 37 

3.3 Eigenvalue Estimation 44 

4.1 Quantum Fourier Phase Estimation (FPE): \j)\j)^ — > |0)|j)^ 54 

4.2 Exact Quantum Fourier State Computation (QFS): |j)|0) — > The 
approximate version (AQFS) just omits the Rk for k G n{\ogn) 55 

4.3 Approximate Parallel QFT for Uniform Inputs (UQFT) 55 

4.4 Approximate Parallel QFT 56 

5.1 Approximate QFT over Zn 58 

5.2 Fourier Sampling over Zn 63 



V 

Acknowledgements 

I want to thank my advisor for his patience, his insight and his sense of humor without 
which this thesis would never have been completed. 

I am grateful to Sean Hallgren, the co-author of many of the results in this thesis. 
I really enjoyed the countless hours spent together in cafes over the years and hope to 
collaborate again. 

I want to thank the many members of the Logic group who have given me support 
and encouragement during my years at Berkeley. Professor John Addison deserves particular 
thanks for introducing me to the complexities of Complexity theory and for his ever-present 
sense of humor. I would certainly never have finished without the support and friendship 
of the group secretary, Catalina Cordoba. Good luck in your retirement! And thanks to 
Richard Zach for making the "middle years" of my graduate career more fun. 

I also want to thank the faculty, staff, and students of my adopted department, 
Computer Science, for making me feel welcome. 

Finally, I must thank my family. First, my Mom and Dad for their constant love 
and support without which none of this would have been possible. Second, my husband for 
putting up with my seemingly infinite thesis-writing and for his almost hourly help with 
my computer. My sister Kathy for doing the dishes, taking out the dog, and mowing the 
lawn even though she had her own thesis to write. Charlotte for her smiling face and hugs. 
Eve for her kicks and prods over the past few months which have served as a continuous 
reminder of the urgency of my task. And finally Sal for helping to heal a broken heart. 



1 



Chapter 1 

Introduction 

The primary tool underlying all quantum algorithms which achieve exponential 
advantage over classical computation is the quantum Fourier transform (QFT). The fact 
that the QFT over exponentially large groups can be computed efficiently is at the heart of 
the solution to the Abelian hidden subgroup problem, of which Shor's celebrated factoring 
and discrete logarithm algorithms [32] are a special case. The aim of this dissertation is 
twofold. First, we give improved quantum circuits for computing the QFT. Second, we use 
the resulting insight into the structure of the QFT to extend the class of hidden subgroup 
problems with efficient quantum solutions. 

In particular, after surveying existing techniques computing the QFT over finite 
Abelian groups, we give explicit parallel circuits for approximating the QFT over a power of 
2, tightening the results of [12]. We then give improved parallel circuits for approximating 
the QFT over an arbitrary cyclic group, based on new insight into the relationship between 
the discrete Fourier transforms over different cyclic groups. This insight also leads to a par- 
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ticularly elegant method of "Fourier sampling" ([6], [16], [20]) and simplifies the presentation 
of the standard Abelian hidden subgroup algorithm. 

Second, we extend the class of Abelian hidden subgroup promise problems which 
have efficient quantum algorithms. Given oracle access to a function / defined on a group 
G and constant on cosets of some unknown subgroup H < G, a solution to the hidden 
subgroup problem is a list of generators for the subgroup H. This problem can be solved 
efficiently on a quantum computer whenever G is a finitely-generated Abelian group and / 
is distinct on distinct cosets([21]). 

We first use our Fourier sampling procedure to relax this distinctness requirement, 
requiring only that the encoding of if by / be probabilistically unambiguous. This extends 
the results of [7] and [24] who relax the distinctness condition only slightly. Moreover, our 
result is tight - we give a corresponding lower bound which shows that, in the absence of 
such an unambiguous encoding, no polynomial-time algorithm, classical or quantum, can 
recover the desired hidden subgroup. 

Finally, we give an efficient quantum algorithm for the hidden cyclic subgroup 
problem over the reals 3fi. More specifically, given a sufficiently piecewise-continuous periodic 
function defined on 3fi, we show how to efficiently generate the bits of its period. Again 
we must require that the encoding of the period be probabilistically unambiguous. This 
generalizes a result of [18] which gives a quantum algorithm finding the period of a subclass 
of such functions and an important application, namely an efficient quantum solution to 
Pell's equation. Furthermore, we show that the hidden cyclic subgroup problem over 3f? is 
harder than the analogous problem over Z. In particular we show that a decision version of 
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the problem over 3fJ is outside of the complexity class MA, whereas any decision problem 
which reduces to the problem over Z lies inside of this class. 

1.1 Outline 

The remainder of this Chapter is devoted to setting up our quantum circuit model. 
Chapter 2 introduces the QFT and its relation to the hidden subgroup problem while 
Chapter 3 surveys earlier techniques for implementing the QFT. In Chapter 4 we give new 
parallel circuits for computing the QFT over a power of 2. Chapter 5 contains both our 
algorithm for computing the QFT over an arbitrary cyclic group and also the associated 
Fourier sampling procedures. The technical results leading to these algorithms can be found 
in Chapter 9. 

We then turn to extensions of the hidden subgroup algorithm. Chapter 6 extends 
the hidden subgroup algorithm over finitely generated Abelian groups to the case where the 
given function is not distinct on distinct cosets. The associated lower bound is found in 
Section 5. Chapter 7 is devoted to period-finding over the reals and and Chapter 8 to the 
proof that this problem is outside of MA. 

1.2 Notation 

We shall be primarily concerned with the vector space Vn over the field of complex 
numbers C consisting of formal linear combinations of bit-strings k G {0, 1}". We use the 
Dirac "ket" notation, |-), for vectors in this space and reserve \i), \j) and \k) for the basis 
vectors corresponding to the bit-strings i,j,k G {0, 1}". \v), \w), and \u) denote arbitrary 



vectors in this space with 



1^) = Yl ^ii-^')- 

ie{o,i}" 

Vn is a Hilbert Space with inner product 

{\v),\w))= ^ ViWl, 
iG{0,l}" 

where wl is the complex conjugate of Wi. By using the standard "bra" notation, (-1, to 
denote the dual vector, i.e. {v\ is the linear operator from to C defined by 

{v\\w) = {\v), \w)), 

the vertical bars of the adjacent "bra" and "ket" in the inner product of \v) and \w) can be 
conveniently merged and written as {v\w). We let || • || denote the norm associated with 
this inner product, 



\\\v)\\ = y/{v\v). 

Note that the vectors \k) form an orthonormal basis for Vn under this inner product. We 
will also use || • || to denote the associated operator norm. In particular if is a (linear) 
operator on Vn then 

For any linear operator U onVn there is a unique linear operator on Vn satisfying 

{Uv\w) = {v\U^w) 

for all vectors \v) and \w). is called the Hermitian adjoint of U. Its matrix repre- 
sentation is the conjugate transpose of the matrix representing U, in other words if U has 
matrix representation (uy) then the matrix representation of has ijth entry uji. An 
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operator U is called unitary if its Hermitian adjoint is also its inverse, that is, if UU^ = I. 
This is equivalent to the condition that the vectors U\k) form an orthonormal basis for V. 

An important construction underlying the quantum mechanics of multiparticle 
systems is the tensor product of vector spaces. Given any pair of bases for the vector 
spaces V and W, their Cartesian product forms a basis for the tensor product of V and W, 
denoted V W. That is, if \j) and \k) are elements of V and VF's respective bases then 
\j) (g) is an element of the resulting basis for V (g) W. F then consists of all linear 
combinations of these basis elements modulo the following equivalences: 

1. For any scalar c G C and elements \v) G V and \w) G W, 

c{\v) (8) {w)) = {c\v)) \w) = \v) {c\w)) . 

2. For any \v) and \v') in V and \w) and \w') in W the following hold 

{\v) + \v')) (g) \w) = \v) (g) \w) + \v') (g \w), 

and 

\v) (g [\w) + \w')) = \v) (g \w) + \v) (g \w'). 

These relations can also be used to give a basis independent construction of F (g - it is 
the free product of V and W modulo these equivalences. It is not hard to see that these 
equivalence relations do not collapse any elements of the basis for F (g described above 
and thus dim{V0W) = dim (F) dim (IF). It is worth noting that, while for any pair of 
vectors \v) eV and !■«;) G IF the vector |v) (g is in F(g IF, vectors of this form comprise 
only a tiny fraction of the tensor space. In particular, their description only has dimension 
dim(F) + dim{W). 
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The tensor product F (g) inherits a natural inner product structure from V and 
W by taking as an orthonormal basis any Cartesian product of orthonormal bases of V and 
W. Also, for any two linear operators A and B on V and W respectively, we can define 
their tensor product A(Si B which is the linear operator on V (SiW satisfying 

A(^B{\j)(^\k))=A\j)(^B\k), 

for basis elements \j) G V and |A;) G W. More generally, any bilinear map on the cartesian 
product V xW induces a linear transformation of the tensor product F (g) - a category 
theoretic definition of the tensor product can be formulated in these terms. 

Example: As a concrete example of the tensor product, recall the vector spaces 
Vn defined previously. The tensor product of any two spaces Vn and Vm has an orthonormal 
basis consisting of elements of the form |j) \ k) where j and k are bitstrings of length n 
and m respectively. The resulting space Vn <8) Vm is clearly isomorphic to Vn+m by extending 
the obvious map of basis elements 

|j) ® |/c) ^ \jk) 

Notice that this map is also preserves the corresponding inner product. ■ 

1.3 Qubits 

A qubit is the abstraction of a two-level quantum particle, in the same sense that 
a bit is the abstraction of a classical storage device which can be in one of two positions, 
or 1. While such a classical storage device is always either in position or in position 1, 
quantum particles can exist in a complex combination or "superposition" of levels and are 
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described by a unit vector in Vi, that is, a vector 

ao|0)+ai|l) (1.1) 

1 2 1 2 

where the Oj are complex numbers satisfying |ao| + |q;i| = 1- 

A measurement is the abstraction of a physical procedure which obtains clas- 
sical information about the state of the quantum particle. A measurement is represented 
mathematically as the projection of the state vector onto a pair of orthogonal subspaces. 
For instance, a measurement of the state (1.1) in the standard basis projects the state 
vector onto the subspaces generated by |0) and |1) respectively, yielding the state |0) with 
probability |ao|^ and |1) with probability \aif. 

Quantum computation entails the manipulation multi-particle quantum systems. 
A system of n qubits is described by a unit vector in Vn, the tensor product of the individual 
vector spaces Vi inhabited by each qubit. The state vector itself, however, need not be a 
product of vectors in these component spaces - recall that such product vectors form but 
a tiny fraction of the entire tensored space. A state vector which cannot be decomposed 
as such a product is entangled. Entangled states play a critical role both in quantum 
computation and quantum information theory. 

1.4 Circuits: Classical vs. Quantum 

Various models for quantum computation have been proposed. For our purposes 
it will be most convenient to work in the quantum circuit model. Before we specify the 
particulars of our model we review some of the features peculiar to quantum computation by 
contrasting a particular classical probabilistic circuit model with its quantum counterpart. 



A classical probabilistic circuit takes as input a string of bits, runs them through 
a sequence of one and two-bit probabilistic gates, and outputs a string according to the 
probability distribution induced by the array of gates. For our purposes it will be convenient 
to assume these gates have equal length input and output. In particular, we take the 
deterministic NOT and FAND (fan-out and) together with a probabilistic NOT1/2 gate 
as our basis. The NOT1/2 gate acts like the deterministic NOT gate with probability 1/2 
and with probability 1/2 allow the bits to pass through unaffected. We can represent these 
gates by their transition matrices. 



1 ^ 



NOT 



FAND 



V 



NOT 



^ 1/2 1/2 ^ 



1/2 



^ 1/2 1/2 j 



J 



10 
10 
1 

where the rows and columns are indexed by bit strings in lexicographic order and the matrix 
entries represent the transition probabilities induced by the gate. The state of the circuit at 
any stage s can be described by a probability distribution on n-bit strings, or equivalently 
as a vector in 

i6{0,l}" 

where Pi^g denotes the probability that the bits are in the configuration \i) at stage s. Thus 



the pi^s are nonnegative reals satisfying 



E 

ie{o,i}» 



Pi 
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The probabilities pi^g can be gotten from the Pi^s-i by the formula 

Pi,s = Pj,s-l'tj,i,s-l: 

ie{o,i}" 

where is the probability that the string \j) transitions to the string |i) when the gate 

of stage s — 1 is applied. Again, the tj,j,s's are nonnegative reals satisfying 

i6{0,l}" 

for all j,s. The matrix of values (tj,i,s) for a fixed s is a tensor product of the identity 
matrix and the transition matrix of the gate (see above) applied at stage s. A classical 
probabilistic circuit with final state 

jG{0,l}" 

outputs the string i with probability pi^Sf at the conclusion of the algorithm. 

In analogy to the classical case, a quantum circuit takes as input a string of qubits 
and runs them through a sequence of one and two-bit quantum gates. In this case the state 
of the machine at any stage s is unit vector in V^, 

ie{o,i}" 

where the are complex numbers satisfying 

E N' = i- 

ie{o,i}" 

As in the classical case we assume that the input is a determinate bitstring, i.e. a quantum 
state of the form \i) for some i G {0,1}". As before, the amplitude ai^g of a state \i) at 
stage s can be gotten from the ai,s-i by the formula 

~ 0:j,s-lTj,i,s-li 
J6{0,1}" 
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where Tj^i^g-i is the amphtude with which the state \ j) transitions to the state \i) when the 
gate of stage s — 1 is appHed. Again the the matrix of values {Tj^i^s) is a tensor product 
of the identity matrix with the transition matrix of the gate apphed at stage s, but in the 
quantum model the Tj^i^^s are not positive real probabilities, but complex numbers whose 
amplitudes squared satisfy 

ie{o,i}" 

for all j, s. 

In order to obtain classical information from the final quantum state \asf) output 
by the array, a measurement in the standard basis is performed at the conclusion of the 
algorithm. The probability of measuring a particular string \i) is given by 

We now isolate the aspects of the quantum model which distinguish it from its 
classical counterpart. First, we focus on the class of allowable gates. The principles of quan- 
tum mechanics require that the evolution of a quantum state be reversible - no information 
can be gained or lost. The classical FAND gate, for example, violates this principle since 
it maps both the strings 00 and 01 to the string 00. This reversibility requirement restricts 
the class of allowable gates to those whose transition matrices are unitary and raises the 
question of whether a quantum device is capable of even simulating a classical probabilistic 
circuit, much less moving beyond it. Such a simulation is possible if we allow the circuit 
to maintain a copy of its input throughout the computation. That is, if there is a classical 
probabilistic circuit mapping 

\i) — ^ \j) with probability pij 
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then there is a quantum circuit of polynomially-related size mapping 

K)|0) — where \aij\^ =Pij- 

The following three gates, known as the Hadamard, the controUed-not, and the 1/8-rotation 
respectively, together suffice for such a simulation. 



'^ 1 ^ 



H 



( ^ ^\ 
V 73 "73 / 



CNOT 



V 



1 

e2-V8 



10 
1 
10 

Moreover, they are universal for quantum computation, that is, they can be used to ap- 
proximate any unitary transformation on n qubits with arbitrary precision. 

Theorem 1. Any unitary transformation on n qubits can be approximated to within e by a 
quantum circuit of size O (n^4"log'^ (n^4"/e)) over the gates {H,CNOT,R^}. 

Theorem 1 was proved independently by Solovay and Kitaev. See [25] for a nice 
proof and history. 

While quantum circuits can efficiently simulate their classical probabilistic coun- 
terpart, the converse appears to be false. What are some of the difficulties inherent in such 
a simulation? One fundamental difi^erence between the quantum and classical models is 
that in the quantum setting the transition function r is complex- valued. This expresses 
the phenomenon of Quantum Interference - nontrivial computational paths can cancel each 
other out and disappear - a property which lies at the heart of the apparent exponential 
power of the quantum model over its classical counterpart. Another difference is that the 



12 

norms of the amplitudes of the state vector and the transition function are only quadrati- 
cally related to their associated probabilities. This property is exploited by the data-base 
search algorithm of Grover [15] and its extensions which achieve a corresponding quadratic 
speedup over probabilistic classical computation. 

So far the only classical simulations of quantum circuits involve keeping an explicit 
record of the exponentially many amplitudes associated with each step of the computation. 
Such a brute-force simulation can be accomplished using polynomial-space (but exponential- 
time) on a classical Turing machine and, more specifically, inhabits the complexity class 
P* C PS PACE [6]. This indicates that proving outright that quantum circuits cannot be 
efficiently simulated by classical computation is very difficult - such a proof would imply that 
P 7^ PSPACE, a long-standing open question in complexity theory. On the other hand, 
Shor's quantum algorithms for factoring and discrete logarithms, well-studied problems for 
which there is no efficient classical solution, together with various oracle results, provide 
indirect evidence that no such simulation exists. 

Finally, we note that classical devices have been proposed that purportedly solve 
A'^P-complete problems in polynomial-time [36] . In each case it was shown that the device 
in question required either exponential precision or energy and that its apparent power was 
hidden in one of these untenable physical assumptions. It is critical to point out that this 
is not the case in our quantum circuit model. In particular, we need not implement our 
basic gates exactly, nor even with exponential precision, to achieve the apparent power over 
classical circuits. It suffices to be able to approximate these gates to within an arbitrary 
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inverse polynomial, that is, to implement a unitary transformation U satisfying 

||?7-G|| < l/p{n), 

where G is the unitary transformation induced by the desired gate. This follows from 
fundamental work of [6] showing that the errors incurred by such gate approximations are 
additive. Thus for any given polynomial-size circuit each of these errors need only be less 
than a (larger) inverse polynomial in order for the distribution output by the approximation 
to be close to that of the exact circuit. 



1.5 A Quantum Circuit Model 



We now turn to the particular quantum circuit model used in this thesis. Our 
circuits will use the following slightly redundant set of gates, in keeping with [12]. The 
Hadamard, 



H 



1 1 
V V2 V2 / 



(1.2) 



The single qubit rotation gates. 



V 



(1.3) 



1 

e2-'/2^^ 

And, finally, the 2-qubit controlled rotation gates which perform the rotation R}~ if and 
only if the control bit is a 1. These three types of gates are shown in Figure (1.1). For 
simplicity we assume that we are also able to run these gates in reverse. Multiple gates 
may be performed in parallel (i.e. to distinct sets of bits) at any given stage, allowing for 
both size (total number of gates) and depth (number of stages) analyses of our algorithms. 



14 



H 



Rk 



Rk 



Figure 1.1: Quantum Gates: Hadamard, Rotation, Controlled Rotation. 

In our discussion of the hidden subgroup Problem we will require quantum circuits which 
have oracle access to some function /. For our purposes we can assume without loss of 
generality that our input includes a special string of clean (all zero) qubits which are left 
untouched throughout the algorithm except for a single function call. At this point the 
oracle is invoked and the result is copied into the string of clean bits. A more general model 
would have to allow for multiple calls to the oracle and for manipulations of the resulting 
strings, but this restricted version suffices for our purposes. 

1.5.1 Arithmetic Quantum Circuits 

It will be useful for us in presenting our results to build a small repetoire of 
important subcircuits, in particular, quantum circuits for basic arithmetic operations. The 
following two lemmas allow us to translate classical results about arithmetic circuits to the 
quantum setting. 



Lemma 1. Suppose the map 



\x) \f{x)) 
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is computable by classical deterministic circuits of size s{n) and depth d{n). Then the map 

\xm^\x)\f{x)) 

is computable by quantum circuits of size and depth O {s{n)) and O {d{n)) respectively. 
Lemma 2. Suppose that f is 1-1 and the maps 

\x)^\f{x)) and \x)^\f-\x)) 
are computable by classical deterministic circuits of size si(n) and S2{n) and depth di{n) 
and d2{n) respectively. Then the map 

is computable by quantum circuits of size O (si(n) + S2(n)) and depth 0{di{n) + d2{n)). 

These lemmas were originally proved in the context of classical reversible compu- 
tation [3] - there is nothing inherently "quantum" about their proofs, which we proceed to 
sketch. 

The first step in constructing a quantum (or classical reversible) circuit from a 
deterministic one is developing subcircuits which can simulate a universal set of classical 
boolean gates, such as NOT and AND. Simulating the classical NOT gate is easy since it 
is already reversible (Figure 1.2). Simulating the classical AND gate proves trickier. The 
three-qubit transformation pictured with its truth table in Figure 1.3 can be accomplished 
in constant size and depth by a surprisingly complicated configuration of our basic gates 
(See, for example, [25], page 182). 

This gate is sometimes referred to as the controUed-controlled not, since it performs 
a controlled- not on the last two qubits if and only if the first is a 1, but more often it is called 
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Figure 1.2: Quantum Not. 
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Figure 1.3: Toffoli Gate. 

the ToffoUi gate in reference to [34]. It is easy to see from its truth table representation 
that, if the third qubit is set to |0), the AND of the first two input qubits is recorded in 
the third output. 

With these two subcircuits now in hand, suppose we are given a classical circuit 
computing our function /. We replace each NOT gate by subcircuit (1.2) and each AND 
by subcircuit (1.3) supplemented with a clean qubit in its third register. This necessitates 



17 



a supply of at most s(n) clean qubits and yields a quantum circuit mapping 

k)|0) — \x)\junkx)\f{x)), 

where junkx are the junk-bits output by the first two registers of each Toffolli. The size and 
depth of this portion of the circuit are related to the classical circuit by constants deriving 
from the size and depth of the subcircuits (1.2) and (1.3). 

f{x) is then copied into a remaining set of clean bits, 

\x)\junkx)\f{x))\0) \x)\junkx)\f{x))\f{x)). 

A single bit can be copied into a clean qubit via the controlled- not subcircuit of Figure 1.4, 

and we let COPY denote the important subcircuit of size 3n and depth 3 consisting of n of 

lb> O lb> 



H 




Rl 




H 



lb> 



lj> 



lj> 



I0> 



COPY 



7 lj> 



Figure 1.4: Controlled Not and Quantum Copy. 
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these controUed-nots in parallel. 

Finally, the initial computation is run in reverse, yielding the desired map 

\x)\0)^\x)\0)\f{x)). 

The size and depth bounds follow easily. 

We now turn to the second lemma. We have already shown how to construct 
circuits performing both 

|a;)|0)^|x)|/(x)) 

and 

\f{x)m^\f{x))\x). 

These circuits need merely be composed - the second in reverse - to obtain a circuit com- 
puting the desired 

|x)|0)^|0)|/(x)). 

One drawback of this simple construction is the inflation of the number of qubits 
needed to accomplish the computation in question. In particular, since each Toffolli gate 
requires at least one clean qubit, the number of qubits required is proportional to the size of 
the classical circuits involved. It is possible to improve this space bound at the expense of 
the other parameters [4], but we shall be primarily concerned with minimizing the overall 
size and depth of our circuits. See also [35] for quantum arithmetic circuits constructed 
with an emphasis on minimizing this space requirement. 

Addition and subtraction can both be accomplished by classical circuits of size and 
depth 0(n) and O(logn) respectively. By Lemma 2, then, the quantum addition circuit 
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Figure 1.5: Quantum Addition 

pictured in 1.5 also has size 0{n) and depth (3(logn). We shall also use a modular addition 
operation, denoted +N, which maps \ j)\k) to \ + k mod N) for j, k < N. It is easy to see 
that this bijection can be accomplished with asymptotic size and depth identical to regular 
addition. Finally, we will have occasion to run each of these circuits backwards, performing 
— and — jv respectively. 

We shall also require two types of multiplication circuits. The first, pictured in 
Figure 1.6, takes as input an n-bit decimal d > 1, an n-bit integer j, and an integer k 
with < k < d. It outputs the nearest to dj + k with ties broken by some consistent 
convention. The requirement d > 1 ensures that this map is a bijection and thus Lemma 2 
can be invoked. We let -i- denote this multiplication circuit run in reverse. Analyzing the 
circuit's size and depth is more complicated than in the case of addition. Currently the best 
classical circuits for multiplication have size 0(n log n log log n) and depth O(logn). But in 
order to apply Lemma 2 we must also perform division, a notoriously stubborn operation to 
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lk> : 



Figure 1.6: Quantum Multiplication with Remainder 

parallelize. There are classical division circuits of size 0(n log n log log n) which have depth 
0(lognloglogn)[28]. However, the smallest 0(log n)-depth classical division circuits have 
size 0(n^"'"^)[19]. Thus the quantum multiplication circuit (1.6) can either be performed 
in simultaneous size and depth 0(n log n log log n) and O(lognloglogn) or 0{n^^'^) and 
O(logn). 

If an n-bit approximation to 1/d is available - in Algorithm 3 we can prepare this 
inverse classically - multiplication by l/d can be substituted for division. The multiplica- 
tion circuit pictured in Figure 1.7 can thus be performed in simultaneous size and depth 
0(n log n log log n) and O(logn) respectively. 

The classical multiplication and division techniques which achieve these various 
sub-quadratic circuit sizes all make use of the discrete Fourier transform. This raises the 
interesting question of whether there is some inherently quantum method which improves 
upon these techniques, perhaps by using the QFT. As noted in [32] it could allow quantum 
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Figure 1.7: Quantum Multiplication with Inverse 

decoding of RSA encryption to run asymptotically faster than the corresponding classical 
encoding. 
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Chapter 2 

Quantum Fourier Transforms and 
The Hidden Subgroup Problem 

2.1 The Discrete Fourier Transform 

Let G be a finite abelian group and let V be the vector space over the complex 
numbers consisting of formal linear combinations of elements of G, 

We use * to denote the group convolution operation induced by G on F, that is, the 
operation 

* k) = X] Yl ^^'^^ 1 If)- 

geG \hk=g j 

Notice that the 1^) G G form a group under this operation which is trivially isomorphic to 
G itself. 

The discrete Fourier transform, or DFT, is a symmetric unitary transformation F 
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of V satisfying 

cF{\g)*\h))=F\g).F\h) (2.1) 

for all g,h £ G, where • denotes pointwise vector multiplication and c is the normalization 
factor l/^y\G\. The DFT thus exhibits a group isomorphism between the \g) E G under 
group convolution and the \F{g)) G G under pointwise multiplication. This characterization 
of the DFT is sufficient for the applications discussed in this thesis. For the definition of 
the DFT in terms of group representations, still in the setting of quantum computation, see 
[25]. 

Cyclic G 

If G = Zjv, the cyclic group on N elements, then the transformation 



\j) — ^ |A;) with amplitude --y=ijjj^. 



where a; at = e~ satisfies (2.1). In fact, lvn could be replaced with any primitive Nth root 
of unity and the resulting map would still satisfy this condition. It is not hard to show that 
these are the only such transformations and thus our characterization yields a unique DFT 
up to isomorphism of the underlying cyclic group. 

Example: A simple example is the DFT over Z2, which is the map sending 



and 
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The matrix representation of this map is thus 

( ^ ^\ 

Finite Abelian G 

By the Fundamental Theorem on finite Abehan groups, any such G can be de- 
composed as a direct product of cyclic subgroups. Its DFT is the tensor product of the 
DFT's corresponding to each cyclic subgroup in this decomposition. Again it is possible 
to show that there is a unique map satisfying (2.1) up to isomorphism of the underlying 
group. Before giving a description of these maps we present a simple example. 

Example: The simplest example of this tensor product construction is the DFT 
over 0„.^2 = (-^2)", sending 

with amplitude 

n ^^^^ = 

where -2 denotes the mod 2 dot product. ■ 
More generally if G = 0j<„ Zp^ is an arbitrary finite abelian group given by its 
decomposition as a direct product of cyclic groups we can describe the DFT over G in a 
uniform manner. We first define the mod G dot product, -g as follows. 

Definition 1. Suppose G = 0j<„ Zp^. Let P = \G\ = pip2 ■ ■ - Pn o,nd Pi = P/pi Then -a 



(2.2) 
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is the binary operation on G given by 

, 1 
9-Gh = - 



Yl ^o9jhj I mod P 

1 0<j<n 



where g and h equal (gi, g2, ■ ■ ■ , gn) and (hi, h2, ■ ■ ■ ,hn) respectively. 

The value of this definition is that the DFT over G can now be simply described 
as sending 

1^) — > \h) with amplitude ^^a;^'^''. 



DFT vs. QFT 

The classical task of computing the DFT over Zjv of an explicitly given vector 
of complex numbers v = {vi,V2,--- ,vn), a task which naively appears to require 0{N'^) 
arithmetic operations, can actually be accomplished in 0{N log N) arithmetic operations, 
by techniques referred to as the fast Fourier transform, or FFT (See Sections 3.2.1 and 
3.3). This nontrivial algorithm, together with the fact that the DFT maps *, i.e. group 
convolution, to •, pointwise multiplication, is exploited by the many classical applications 
of the DFT, such as Fast Polynomial and Integer Multiplication. 

In contrast to this classical computational task, the quantum Fourier transform 
or QFT refers to the implementation of the discrete Fourier transform on the underlying 
quantum state space. In other words, the input is not an explicit vector of complex values, 
but a quantum state 

i<N 

whose amplitudes represent the vector to be transformed. The output of the QFT over Zn 
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is the quantum state 



where 



j<N 



i<N 



Example: It is not hard to see that one of our basic quantum gates, namely the 
Hadamard (See Equation 1.2 and Example 2.1) is precisely the QFT over Z2. Moreover, 
applying n Hadamards independently to each qubit as pictured in Figure 2.1 accomplishes 



H 



H 



H 



H 



H 



Figure 2.1: QFT over 

the QFT over {Z2)"', which we will denote (i*2)"- This is the first and simplest example of a 
polynomial sized quantum circuit implementing the QFT over an exponential-sized group. 



The fact that the QFT over exponentially large groups can be efficiently imple- 
mented is the basis for for all quantum algorithms achieving exponential advantage over 
classical computation. However, it is important to notice that, in and of itself, the ability 
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to perform the QFT over an exponentially large group does not represent an exponential 
speedup of any classical task, such as DFT computation. This contrast between the clas- 
sical DFT and the QFT has been likened to, on the one hand, producing a list of all the 
probabilities of points in the sample space of some distribution (the classical DFT) and, on 
the other hand, producing a method for sampling from that distribution (the QFT). We 
now turn to a situation where the ability to compute the quantum Fourier transform over 
an exponentially large group does give quantum computation advantage over classical, an 
astounding exponential advantage to be precise. 

2.2 Simon's Algorithm 

Simon [33] gave a polynomial-time quantum algorithm for the following promise 

problem. 

GIVEN: A function / defined on {Z2)"' which is 2-1 and satisfies f{x) = f{x © b) 
for all X and some fixed b. 
FIND: b. 

This is our first example of a hidden subgroup problem. The given function / is 
defined on the group (^2)" and constant on cosets of the unknown subgroup {0, b}. The goal 
is to reconstruct this subgroup. The following quantum procedure is commonly referred to 
as Simon's algorithm. It exploits a certain coset invariance property of the QFT - regardless 
of which coset x of {0, 6} is input to the QFT at Step 2, the output distributions are identical 
The information about the particular coset is concentrated in the complex phases of the 
final superposition, while its distribution encodes just the underlying subgroup {0,6}. 
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Algorithm 1. Simon's Algorithm} 

1. We prepare the input to the Fourier transform as follows: 

|0)|0)^ ^ |x)|0)^ \x)\f{x))= ^ (|x) + |xe6))|a) 

x<2^ x<2^ aeRf 

where Rf denotes the range of f. 

2. Quantum Fourier Transform over 0^ Z2 : 

{\x) + \x®h))\a) ((_i)-2^ + (_i)(-®f')-J/)|y)|a) 

j/<2" 

= (-ir'b)i«)' 

where -2 denotes the mod 2 dot product. 

3. Measure the first register. 

Repeat this quantum subroutine 0(n) times and obtaining {yi}. Solve(classically) the system 
of equations yi -2 z = 0. Output this solution 

Our quantum subroutine outputs a yi uniformly at random from the set of y such 
that y -2 6 = 0. It is not hard to show that after 0{n) repetitions of the subroutine the 
resulting system of linear equations will have a unique solution with high probability and 
the correctness of the algorithm follows. 

It is possible to show that any classical probabilistic algorithm for this problem 
has query complexity f2(22) [33], thus this is an example of a (promise) problem where 

quantum computation achieves exponential advantage over classical computation. In fact, 

^In this and all later quantum procedures we shall feel free to suppress global normalization factors in 
order to preserve readability. 
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we show in Chapter 8, Section 8.2 that, even in the presence of non-determinism, any 
classical probabilistic method of distinguishing functions that are 1 — 1 on {Z2)"' from 
the 2 — 1 functions described above requires a similar exponential number of queries. In 
contrast, this can be accomplished in polynomial-time on a quantum computer by a slight 
modification of Algorithm 1. 

2.3 Generalizing Simon's Algorithm: The Abelian Hidden 
Subgroup Problem 

Algorithm 1 is the prototype for all later hidden subgroup algorithms, including 
Shor's celebrated algorithms factoring and discrete logarithm [32]. We reinterpret Algorithm 
1 in terms of "Fourier sampling" over G = 0^ Z2 , then show how this procedure generalizes 
to an arbitrary finite Abelian group. Our approach is similar to that of [21]. 

Algorithm 2. 1. Prepare 



a 



xeG 



where fn is constant and distinct on the cosets of H < G 



2. 



Sample from X'fqIq), the distribution gotten by measuring the first register of 



FG\a) = J2PG\x)\fH{x)), 



xeG 



where Fq denotes the QFT over G. 



Repeat this quantum subroutine 0{n^) times where n = log|G| obtaining samples 



{Vi} 



Solve(classically) the system of equations yi -g z = 0. Output this solution 
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We can describe the distribution sampled by the quantum procedure using the 
following definition: 

Definition 2. Let G be a finite abelian group. For any subgroup H < G let < G be the 
subgroup consisting of the elements g E G satisfying 

9-Gh = 

for all he H. 

In the particular case G = Z2 and H = {0, b}, i.e. Simon's algorithm, we have 
already seen that the distribution I'fgIq) is supported uniformly on the subgroup H^. We 
now show that for any finite abelian G and H < G, I^Fgia) is uniformly supported on H-^. 



Recall that 



For any 3 G G let 



be the convolution of l^') and the first register of |a). Then for any h & H, 

cFcla) = cFalh * a) = FG\h)-FG\a), (2.3) 
for c = . The first equality follows from the fact that, since fn is constant on cosets 



xeG 



\g*a) = \g) * \a) = — ^ ^ \g + x)\fH{x)), 
V l*^! xeG 



of H, \a) = 1^ * a), and the second from our definition of the Fourier transform. Since the 
amplitude of Fclh) at \x) is | oj^'g^ this equality can hold only if Fda) is supported on 



|x) satisfying u^'^^ = 1 for all h e H. This is precisely as claimed. 

Showing that the distribution is uniform on H-^ requires more detail. Fix any state 
\y)\a) with y G and a in the range of fn- The amplitude at this point is determined by 
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the Fourier transform of the superposition 



for some fixed k, since is both constant and distinct on the cosets of H. The resulting 
amphtude at \y)\a) is thus 

\H\ 



where the last equality follows from the assumption that y G H^. Clearly the norm of this 
amplitude is independent of y (and a), whose influence is only seen in the complex phase 
u^'^y, and the probabilities arising from the squares of these norms are thus uniformly 
distributed over H^. 

How many samples are required in order to generate H-^ and thus solve for the 
generators of HI In the special case of G = Z2 and H = {0, 6} a simple argument shows 
that 0{n) samples suffice: For any n-bit y ^ b the probability that a random element of 
X G {0, 6}-*- satisfies y -2 x = is at most 1/2. Since there are 2" — 1 such y the probability 
that b is not uniquely determined falls off as 2"(l/2)* where t is the number of samples. 

In general we need to ensure that our samples samples are not contained in any 
proper subgroup of H^. This is achieved after O(n^) samples where n = log|G|. In 

2 

particular, there are at most < 2" such subgroups - each is determined by a set of at 
most n generators chosen from G. Moreover, each has size at most half of H^. Thus the 
probability that there exists one such subgroup containing all t samples decreases as 



n2 



t 
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In theory, then, Algorithm 2 solves the hidden subgroup problem for any finite 
abelian group G. But so far we have only seen circuits implementing this procedure in the 
special case G = 0^ Z2 (Figure 2.1). Step 1 requires the preparation of an equal superpo- 
sition over the group G and an evaluation of the function fn- This is easily accomplished. 
Generalizing Step 2 hinges upon extending the class of groups with efficient QFT's. More 
specifically, the class of cyclic groups with efficient QFT's must be extended since these can 
be tensored together to produce the QFT over an arbitrary finite abelian group. We turn 
to this topic in the next Chapter. 
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Chapter 3 

Computing the Quantum Fourier 
Transform 

3.1 The QFT over Zn, N Smooth 

Two separate methods emerged for extending the class of cychc groups with effi- 
cient QFT's. The first, developed by Shor [31] and subsequently Cleve [9], was based on 
the recognition that the component QFT's over Z2 in the circuit for the QFT over Z2 
could be replaced by QFT's over any sufficiently small cyclic group. In particular, since 
any n-bit unitary operation can be approximated by exponential-size quantum circuits via 
Theorem 1, the QFT over Zjn can always be approximated by a circuit of size 0{m^). It 
follows that the QFT over any group of the form 0j<„ where the rrii = 0{n^) can be 
efficiently computed. More importantly, this insight allows us to efficiently compute the 
QFT over a special class of exponentially large cyclic groups. In particular, suppose that 
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Figure 3.1: QFT over 0.<„ 



N = mim2---mk where the rrii are pairwise relatively prime. By the Chinese remainder 
theorem we have Zn = ^^^f. via the isomorphism 



a mod N — ^ (a mod mi, a mod m2, . . . , a mod m^). 



This isomorphism is easy to compute, and can be inverted as well using the formula 



(3.1) 



mod N = mod mi)Ni (^N- ^ mod rrii) , 



(3.2) 



i<k 



where Ni = N/rui. 

Thus if we are given an N which factors into pairwise relatively prime sat- 
isfying rrii = 0{log'' N), we can compute the QFT mod Zn by first computing 3.1, then 
performing the QFT over ©j^;- -^mj) a-^d then inverting by 3.2. Obviously we need to know 
the factorization mim-2 ■ ■ ■ rrik but these can easily be computed classically since they are 
so small. This reasoning thus extended the class of groups whose QFT could be efficiently 
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implemented to include cyclic groups Zn for N smooth, i.e. with prime power factors all 
of size 0{n = log A'^) [31], and, more generally, for any A'' with prime power factors equal to 
0(71^=) [9]. 

3.2 The QFT over 

The second method was developed independently by Coppersmith [14] and Deutsch. 
By exploiting the same recursive structure of the DFT over which leads to the classical 
FFT, the QFT over can be computed exactly by a quantum circuit of size and depth 
n^. As in the classical setting the method can be generalized with only minor changes to 
any N = where c is a constant. 

The recursive structure of the DFT over Z2n is encapsulated by the following 
product representation. Let j = j'l j2 ■ ■ ■ jn is be the bit representation of j where ji is the 
most significant. Then the DFT over Z2n can be written as 

I (|0) +a;-^"|l)) (|0) +a;-^"-i^"|l)) " " " (|0) + a^-^'^^""^"!!)) 

' 2n/2 ■ 

We digress briefly to show how to derive the classical FFT from this expression. 

3.2.1 The Classical FFT 

The classical FFT algorithm was first proposed in [13] but its motivation goes 
back to Gauss. The product representation of Equation 3.3 lends itself most nicely to the 
decimation-in-frequency, as opposed to decimation-in-time, version of the classical FFT. 
Suppose the input to the DFT is the vector \v). Let \w) and \z) be the length 2""^ vectors 
with amplitudes 
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Wj = Voj + Vij 



and 



Zj = LO ■'Voj + UJ' ■'Vlj. 



Then the ampUtude of the product expression (3.3) at an even integer |A;) = 
\k1k2 ■ ■ ■ kn) is just the amplitude at \k1k2 • • • kn-i) of the DFT over 2"~^ of \w). Further- 
more, the amphtude at an odd |A;) is just the amphtude at |A;iA;2 • • • kn-i) of the DFT over 
2"-i of 1^). 

The DFT over 2" can then be gotten by performing these 2 related DFT's over 
2""'^. Computing the vectors \w) and \z) from \v) requires 0{N) arithmetic operations. 
Thus we get the recurrence relation 



for the arithmetic complexity of the classical DFT over N = 2^, leading to the well-known 
bound of 0(iV log iV). 

Recall our definition of the Fourier transform as a map taking convolution to 
pointwise multiplication and back again. Computing the convolution of two vectors \v) and 
\w) in a brute force manner requires 2N arithmetic operations for each amplitude 



i<N 

and thus 2N'^ for the vector as a whole. If we instead perform an FFT, pointwise multiply, 
then invert the FFT, only 0{N log N) arithmetic operations are involved. This rather 



T{N) = 2T{N/2) + 0{N) 
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startling fact is the basis for the well known fast polynomial and integer multiplication 
algorithms [29]. 

3.2.2 The QFT over Z^-n 

The product representation (3.3) leads even more directly to the following quantum 
gate array which computes the QFT mod Z^n- . exactly. This gate array has size and depth 



"2 = O(n^). The gates can easily be rearranged so that the circuit has depth 0(n) [23]. 
In particular, let Gij for i < j denote the controlled-rotation gates Rj^i^i whose inputs are 
the ith and jth wires in Circuit 3.2. Also let Gu be the Hadamard gate which is applied 
to the ith bit. It is not hard to see the only requirement imposed by the above circuit is 
that whenever i + j < i' + j', Gij must precede Gj/^/ in the computation. By arranging 
the gates in 2n — 1 stages, where at the A;th stage the all the gates Gij with i + j = k are 
performed in parallel, the exact QFT over 2" can be performed in size 

llSIl+R = o{n'^) and 

depth 2n + 1 = 0{n). 



In practice, we are interested in merely approximating the QFT to within an 





Figure 3.2: QFT over Z2n. 
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arbitrary inverse polynomial. Since most of the rotation gates in the Circuit 3.2are very 
small, by just omitting the rotations in 0(e/n^) a circuit of size and depth 0(n log ^) which 
approximates the QFT over Z^n to within e can be achieved [14]. In particular, when e is 
an inverse polynomial this gives a gate array of size O (nlogn). Since such approximations 
suffice for any polynomial-time computation, this is a clear benefit of this recursive technique 
over the technique of Section 3.1 for which there is no similar approximation technique. 
Unfortunately, this benefit applies only to the size of the circuits - the depth of the parallel 
version of Circuit 3.2 outlined in the previous paragraph is not further reduced by this 
omission of gates. 

Shor's algorithms for factoring and discrete log can be based on either the QFT 
over Ztv for smooth N or the QFT over Z^n- , but the inability to transform over an arbitrary 
cyclic group complicates their proof. While there is no direct way to extend either of these 
methods to encompass a larger class of cyclic groups, the reliance of the QFT over Z2n 
on the insight which led to the FFT over the same domain raises a natural question. We 
have an generalized classical FFT algorithm, i.e. an algorithm for computing the classical 
DFT over for arbitrary A'^ which has arithmetic complexity 0(A'^log A'^), identical to the 
standard FFT over a power of two. Why not try to base a QFT on these classical methods? 

3.3 Quantum Chirp- Z. 

Since the circuit performing the QFT over a power of 2 is derived from the classical 
FFT circuit, it is natural to try to derive a circuit for the QFT over a general modulus 
from the corresponding general modulus classical method. We first review this method. 
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known as the chirp-z transform and attributed to Rabiner et al [27] . We then translate this 
approach to the quantum setting and show that with a slight modification we do obtain an 
efficient e-approximate QFT which succeeds with probability e^. On the one hand, this is 
not strong enough to be useful in a general setting - in particular, if an algorithm involves 
more than a constant number of QFT's replacing them all with these approximations would 
reduce the success probability to below an inverse polynomial. On the other hand, all the 
hidden subgroup algorithms to date use just a constant number of QFT's in each quantum 
subroutine and thus this method could be used. It will not be as efficient as the Eigenvalue 
Estimation procedure of Section 3.4 and our Algorithm 3 but may be of independent interest. 

The classical chirp-z transform is essentially a method of reducing the transform 
over an arbitrary modulus to a combination of multiplication and convolution. The net 
result is that the transform over an arbitrary modulus with n = [log N\ can be accom- 
plished via 3 FFT's over 2"+^ together with 0{N) extra arithmetic operations. Thus the 
asymptotic arithmetic complexity of the general modulus DFT is the same as that of a 
power of two, namely 0{N\ogN). 

We now describe this in some detail. Given \a) = X^j<jv wish to compute 

the vector \a) where 

i<N 

We let 

\b) = ^ UiUjJf'' and |c) = ^ <^^''^K)- 

i<N j<2"+i 

Clearly \b) can be generated from |a), and |c) created, using 0{N) arithmetic operations. 
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The crucial insight is that kth convolution coefficient of |6) and |c), 

dk = ^2 ^i^k-i, 

i<2"+i 

satisfies 

, -fcV2 \^ ik 
dk^N — = 0,k-N 

i<N 

whenever k > N. Thus the convolution vector \d) can be used to produce the desired 
vector \a) via 0{N) arithmetic operations. As discussed in Section 3.2.1, the convolution 
vector \d) is obtained by computing the FFT mod 2"'"'"^ of the vectors \b) and |c), pointwise 
multiplying the two resulting vectors, and computing the inverse FFT of this product. 

This method uses 0{N) arithmetic operations to create the vectors \b) and |c), 
perform the pointwise multiplications which are sandwiched between the FFT's, and recover 
the Fourier coefficients from the convolution coefficients. Moreover it involves a total of three 
FFT's over 2'^'^^, leading to an overall arithmetic complexity of O (NlogN). 

Is it possible to implement this type of convolution reduction in the quantum 
setting? Recall that in this case we are given as input the superposition \a) = Yli<N'^i\'^) 
and we wish to output the superposition \a) where 

i<N 

The superpositions analogous to |6) and |c) above, namely 

1^) = H^^^Jv' ''^K) and I7) = w^^^li), 
can be created easily. For example, the map 

|a) \P) 
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is achieved by computing putting this value into the phase, and then erasing it. 

Convolution of these two superpositions poses a problem. We can perform the 
required QFT's over 2"+^ yielding the superposition 

I^)l7)= E (3-4) 

i,j<2"+2 

We desire the superposition X^j<2"+2 ATiK) corresponding to the pointwise multiplication 
of \$) and I7), but the best we can do is to subtract the first register in 3.4 from the second 
and measure this difference, yielding 

E ^^iMj-i) (3-5) 

i<2"+2 

for each possible {j — i) with equal probability. If (j — i) = then this is the desired 
superposition and taking the inverse QFT over 2"+^ completes the convolution. We then 
finish the algorithm by collapsing the superposition to the interval {A'^, . . . , 2N — 1} and 
shifting the phase at \l) by lOj^ ' . 

But the probability that (j — i) = is exponentially small. More likely the value 
in the second register will be some non-zero h = j — i. Then the output of the algorithm 
corresponds to having convolved, instead of the desired superpositions and I7), the 
superpositions |/?') and I7) where 

Thus if we collapse to the appropriate interval {A^, . . . , 2A^ — 1} and shift phases as described 
above we will have computed the transform over N of the superposition |a') where 

/ ih 
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instead of the desired \a). 
Now, if 



for some integer k then the superposition \a') defined above and the superposition \a^) with 
amphtudes 

a- = aico^ 

have distance at most 0(e). This is most easily be seen by observing that their inner product 
is large. The transform of ja'^) over is just the shift (mod A^) by k of \a), and thus the 
transform of \a') over N shifted by k is 0(e)-close to the desired |a) whenever Equation 3.6 
holds. 

Since the k which minimizes the difference in Equation 3.6 can be ascertained from 
h, whenever this difference is suitably small we can perform the required shift and achieve 
an e-approximation to \a). Since the condition of Equation 3.6 holds for a fraction of the 
h the success probability is as claimed. 



3.4 Eigenvalue Estimation 

Kitaev [22] gave the first algorithm approximating the QFT over an arbitrary 
cyclic group based on his method of Eigenvalue Estimation. These techniques were further 
refined in ([10], [24], [11]). Our presentation of this QFT algorithm merges some of these 
later refinements with Kitaev's original approach. 
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We first note that we can perform the map 

j<N 

Specifically, we begin by putting the second register into an equal superposition over an 
appropriately large interval and computing ^ . This value is then placed into the phase and 
the computation of ^ is erased. 

More interestingly, it is also possible to approximate the map 

|?)|0)^|i)K). (3.8) 

By combining the map 3.7 with 3.8 in reverse we achieve an approximation to the desired 
transform. 

Map 3.8 is based upon a procedure for estimating the eigenvalues of a unitary 
operator. More specifically, suppose that we are able to perform the operations controlled- 
U, controlled-?/^ , ... , controlled- L'"^'' for some unitary operator U. Assume further that we 
are given an eigenvector [(p) of U with eigenvalue uj^. Circuit 3.3 allows us to determine 
the most significant bits of A with high probability. In particular, if A is exactly A;-bits then 
the input to the QFT in Circuit 3.3 is exactly F2^^|A) and the procedure produces A with 
probability 1. More generally, to achieve the first m bits of A with probability at least 1 — e 
it suffices to choose k = m + O (log(l/e)). How does this enable us to approximate 3.8? 
It is easy to see that the the Fourier basis state \i) of the QFT over Zn is an eigenvector 
with eigenvalue ui^^^ of the unitary operator U = {+1 mod A^). Thus we can use the above 
circuit to recover i/N from \i) with high probability. Multiplying this result by N allows 
us to approximate the map 

\i)\0)\0) \i)\i)\junki) (3.9) 
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Figure 3.3: Eigenvalue Estimation. 

where the last bits are junk deriving from the rounding off of i/N to its most significant 
bits. 

The junk produced by a map such as 3.9 can always be cleaned up using the 
methods outlined in the proof of Lemma 1, yielding an approximation to 3.8. In general, if 
the original map is accurate to within e, the junkless version produced by this method will 
be accurate to within s/N e. In this particular case, however, since a copy of the eigenvector 
\i) is maintained throughout the computation, the errors produced will be orthogonal and 
maps 3.9 and 3.8 will have the same error bound. This seems to have been overlooked in 
[22] which mentions only the more general accuracy result. 

This version of Kitaev's algorithm ostensibly has size and depth O(n^) and 0{n) 
respectively matching the running time of O(ra^) claimed in [22]. 
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Chapter 4 

Parallel Circuits for the Quantum 
Fourier Transform over Zon 



The question of which quantum procedures can be performed in parallel, i.e. by 



circuits of polylogarithmic depth, is of both theoretical and practical interest. There are 
simple, natural problems, such as computing the greatest common divisor of two integers, 
which have no known classical parallelizations. Finding parallel quantum circuits for such a 
problem would further support and elucidate the apparent power of quantum over classical 
computation. On the practical side, parallel computations can significantly reduce the 
computational cost of fault-tolerant implementations of quantum algorithms. In particular, 
a robust model of computational noise must assume that an error can occur in a qubit at 
a given stage in time whether or not the qubit is undergoing a gate transformation at that 
particular stage. Under this assumption the size of the fault-tolerant implementation of a 
parallel circuit - see for example [25], Chapter 10 - will be smaller than the fault-tolerant 
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implementation of the non-parallel version by as much as a factor of 0(n), where n is the 
number of qubits in the original non-parallel circuit. 

We give explicit parallel circuits for approximating the QFT over a power of 2 to 
within an arbitrary inverse polynomial. The existence of such circuits with simultaneous 
size and depth 0(n log n) and O(logn) respectively was proved in [12]. Our construction 
simplifes their approach and reduces the number of qubits required from O(ralogra) to 0{n). 
In some sense this shows that the approximate QFT is inherently parallel, since there is 
no price to be paid for parallelization - asymptotically the size and width of the parallel 
circuits are the same as the apparently optimal nonparallel construction. 

Our construction uses three basic maps, each of which can be approximated by 
shallow depth circuits. The first is the map 

\m^\j)\j), (4.1) 

which we shall refer to as the quantum Fourier state computation, QFS for short, in keeping 
with [12]. The second is the map 

|j)|0)^|i)|i), (4.2) 
which copies a Fourier basis state. Last and most interesting is the map 

\j)\j)\j)\j) = \j)\jf^mjf (4.3) 

which erases the identity of a Fourier basis state from just three copies of that state. We 
refer to this as Fourier phase estimation or FPE again in keeping with [12]. It is easy to 
compose these maps to produce a QFT in the following manner 
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I I . QFS I QCOPYx2 , ,".,3 FPE |^\|-.\3 reverse QCOPYx2 



Shallow circuits for map 4.2 and an approximation to map 4.1 and were exhibited 
in [12]. Their method of Fourier phase estimation, however, uses O(logn) copies of the 
Fourier basis state \ j) to erase its identity This required an ancilla of O(ralogn) qubits 
and also complicated the task of copying \ j) - in order to make the required O(logn) copies 
in parallel classical results about prefix addition were required. By requiring only three 
copies of the Fourier basis state in our Fourier phase estimation we are able not only to 
reduce the qubit requirement but also to simplify the circuits to the point of making them 
explicit, modulo our basic repetoire of arithmetic operations (see Section 1.5.1). We first 
turn to this new Fourier phase estimation procedure 4.3, then give the circuits for maps 4.1 
and 4.2, and finally show how to combine these with a simple preprocessing step to achieve 
an adequate approximation. 

4.1 Fourier Phase Estimation 

We now describe the circuit, pictured in Figure 4.1, which approximates the map 

|j)bf^|0)|j)'- (4.4) 

A collection of exact QFT's modulo 2^'^ for k = O(logn) are performed in parallel on the 
bits of the first and second copies of the Fourier basis state We assume for simplicity 
that 2k divides n. The first copy of the Fourier basis state undergoes n/2k QFT's modulo 
2^^^, applied in parallel to each consecutive sequence of 2k bits. The most significant k bits 



48 

output by each QFT are used as an estimate for the corresponding bits of j and are thus 
xored into these bits to erase them. The second copy of the Fourier basis state undergoes 
n/2k -1 QFT's modulo 2^*^, apphed in parallel to each consecutive sequence of 2k bits 
beginning with the k + 1st bit. As before, the leading k bits of each QFT are xored into 
the corresponding bits of j. The QFT computations are then reversed. The third copy of 
the Fourier basis state is left alone - its sole purpose is to ensure the orthogonality of errors 
from distinct basis states. 

Recall we can compute the exact QFT modulo 2' in size l{l + l)/2 and depth 2/ — 1 
as discussed in Section 3.2.2. Thus the above computation has depth 8A; and size 0{kn). To 
analyze its error we must examine the input and output of each QFT modulo 2^^. Without 
loss of generality we look at the topmost QFT which is applied to the first 2k bits of 
i.e the input is 

The output of the QFT modulo 2^^ on this input is a smeared pointmass concentrated at 
integers near the decimal jij2 • • • j2k-j2k+i ' " jn- In particular, its amplitude at \x) is 

^ \^ , I{x-jlj2---j2k-j2k+l---jn) 
22k '^22* 
l<22k 

This is the sum of 2^^^ equally spaced vectors which wrap around the unit circle 

I a; - jlj2 ■ ■ ■ 32k-j2k+l ■ ■ ■ in|22fc 

times where |-|22fc is distance mod 2^^. The complete revolutions effectively cancel out 
and the only contributions to the final amplitude come from the last fractional revolution. 



49 

There are 2^*^/|a; — jij2 ■ ■ ■j2k-j2k+i ' ' • Jnb^fc vectors in this fractional revolution, and each 
has length ^ leading to an amplitude which is at most a small constant times 

1 

\x - hj2 ■ ■ ■ j2k-j2k+l ■ ■ ■ jnh'^k 

See the proof of Claim 3, Section 9.1.2 for a formal argument via geometric series of a 
similar bound. 

It follows that the probability, i.e. total amplitude squared, of being more than t 
units away from jij2 ■ ■ ■ j2k is 0(l/t). Since we are using the output of the QFT modulo 2^*^ 
to estimate just the leading bits jij2 • • • ifc, we need merely ensure that with high probability 
no carry into these first fc-bits has occurred. In other words we need to bound the probability 
that the offset, t, combines with the bits jk+ijk+2' " 32k to induce such a carry. This 
probability is proportional to 

r — ■ ^ ■ I • (4-5) 

\Jk+l3k+2 ■ ■ ■ J2k\2k 

Unfortunately, this expression is not always small. In particular if jk+ijk+2 ■ ■ ■ j2k is very 
close to zero mod 2^ then much of the smeared pointmass will be at points whose leading 
k bits differ from jij2 ■ ■ ■ jk- Fortunately, this will be a problem for only a small fraction of 
j and we will give a simple processing procedure to reduce the error arising from these bad 
basis states. 

First we derive an expression for the total error arising from this circuit. Let ji 
denote the ith sequence of k bits of j, that is, j = jij2 • • • j„/k and ji = jki+ijki+2 ■ ■ ■ jk{i+i)- 
Then we can generalize the above reasoning to bound the squared error of our circuit on a 



50 



fixed input by 



(4.6) 



l<i<n/fc Ij'l2fc 

Since we have maintained a tliird copy of \j) tlirougfiout tlie computation errors arising 
from different j are orthogonal. Thus the total squared error of the circuit on input 



is bounded by 



\aj\^ max j 1, 



l<i<n/k 



Jib*: 



We define a set of bad values j, denoted B, by letting j G if there exists an i such that 
\ji\2k < 2^^/^. Then the above expression is less than 



El 



l<i<n/k 



+ Ei 

jeB 



a 4 



< 



a, 



(4.7) 
(4.8) 



jeB 



By choosing /c G O(logn) we can make the first of these two terms an arbitrary inverse 
polynomial. The second term is a problem. If the input superposition is supported on the 
set B then this term is one. On the other hand, the j £ B form a small fraction of the whole 
- at most an fraction to be precise. Thus if the input a is fairly evenly distributed 
this second term will also be an arbitrary inverse polynomial for k G O(logn). We will 
use a simple procedure - taking a random shift of our original superposition, computing 
the approximate QFT, and then undoing the effect of the shift - to mimic a uniformly 
distributed input and thus ensure that the overall error is polynomially small. We note that 
for many important applications, such as Shor's Factoring and Discrete Log algorithms. 
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the input superposition is uniformly distributed to begin with and this procedure is not 
required. This will also be true when our parallel circuits for the QFT over an arbitrary 
modulus invoke the parallel circuits for the QFT over a power of 2 as a subroutine. 

Finally we note that by overlapping the bit estimates from the 2 copies of \j) and 
performing a O(logn)- depth carrying procedure similar to that outlined in [12], one could 
get rid of this problematic second term entirely. However, the pre- and postprocessing 
procedures we have chosen are easier to express using our set of basic arithmetic circuits 
and also easy to omit when, as in the algorithms mentioned, it is unnecessary. 

4.2 Quantum Fourier State Computation 

We now turn to the task of approximating the map 

ij)io) \m, 

using parallel circuits. The circuit pictured in Figure 4.2 computes this map exactly in depth 
n and size O(n^). By simply omitting the small rotations, i.e. the Rk for k G Q,{logn), in 
this circuit a la Copppersmith we can approximate this map to within an arbitrary inverse 
polynomial. The resulting circuit, which we denote AQFS, has size O(nlogn) and depth 
O(logn). 

4.3 Copying a Fourier Basis State 

As was pointed out in [12], the map 

|j)|0)^|i)|i), (4.9) 
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can easily be accomplished exactly in size and depth 0(n) and O(logn). First note that 
applying n Hadamard gates in parallel to the second register accomplishes the transforma- 
tion 

|J)|0)^|J-)|6). (4.10) 
Simply subtracting the second register from the first (mod 2"^) accomplishes the map 

\m \j)\jTk) (4.11) 



smce 



\m 



E '^2^1^)1 ^2-^^)1 (4.12) 

a<2" / \i'<2" / 



E (4.14) 

i,i'<2" 

= E ^2n''^'^''^'^'^\i-i')\i') (4.15) 

i,i'<2" 

= fE-2^1^)) (e-'S^'^'^k')) (4-16) 

\i<2" / \i'<2" / 

= |J)|J + ^). (4.17) 

This subtraction can be performed in size and depth 0{n) and O(logn) respectively as 
discussed in Section 1.5.1. 



4.4 Putting it all Together 

We now present two circuits. Circuit 4.3 is an approximate parallel QFT modulo 2" 
which works with high accuracy whenever the input superposition is sufficiently uniform (in 
the norms of the amplitudes) over 2". Circuit 4.4, which calls Circuit 4.3 as a subroutine, 
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is an approximate parallel QFT modulo 2" which achieves arbitrary inverse polynomial 
precision for all input superpositions. 

Assume temporarily that all QFS maps are performed exactly. If the FPE circuit 
called as a subroutine in Circuit 4.3 uses QFT's of size 2k, and thus has depth 0{k), then 
the size of the squared error of Circuit 4.3 on input \a) is bounded by 



and it suffices to choose k G O(logn) to obtain inverse polynomial accuracy. 

Finally, if we perform the QFS maps in depth O(logn) the resulting inverse poly- 
nomial error simply adds to the error already analyzed and we get an overall circuit of size 
and depth 0(n log n) and O(logn) respectively which approximates the QFT to within an 
arbitrary inverse polynomial. 




where B is the subset of indices of size -ttt? defined in Section 4.1. 



The size of the squared error of Circuit 4.4 is then bounded by 
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Figure 4.1: Quantum Fourier Phase Estimation (FPE): — > 
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Figure 4.2: Exact Quantum Fourier State Computation (QFS): |j)|0) 
proximate version (AQFS) just omits the Rk for k G Q{\ogn). 
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Figure 4.3: Approximate Parallel QFT for Uniform Inputs (UQFT) 
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Chapter 5 

An Approximate Quantum Fourier 
Transform over an Arbitrary 

Let |a) = Yli<N "^iK) arbitrary quantum superposition and let |a) denote the 

quantum Fourier transform of \a) over Z]\f. We give quantum circuits which approximate 
this QFT to within an arbitrary e. When e is an inverse polynomial in n = log N the circuits 
achieve a substantial speedup over the O(n^) method of [22]. Our method continues to work 
for smaller e but with asymptotic size identical to earlier methods. A preliminary version 
of these results can be found in [17]. 

We focus on the relevant situation of e an inverse polynomial. In particular, we 
show that in this case circuits of size 0{n log n log log n) and depth 0(log n) can be achieved. 

Theorem 2. There are quantum circuits of size O (n log n log log n) and depth O (log n) 
which approximate the QFT over to within an arbitrary inverse polynomial. 

More specifically, the bottleneck in our algorithm is multiplication by our modulus 
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N and an n-bit approximation to its inverse 1/N, denoted 1/N. Let s{M) and d{M) denote 
the simultaneous size and depth of quantum circuits which multiply an arbitrary n-bit 
integer by M, that is, map 

\M)\j) \M)\j)\Mj)} 
Then our Algorithm 3 yields the following: 

Theorem 3. There are quantum circuits of simultaneous size and depth 

O (^s{N) + s(l7iV) + nlogn) and O (d{N) + d{l/N) + logn) 
respectively which approximate the QFT over Zjv to within an arbitrary inverse polynomial. 



5.1 The Algorithm 
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Figure 5.1: Approximate QFT over Z]\f. 



We now describe the action of the circuit pictured in Figure 5.1 on input \a) = 

'^i<N '^il'^) parameters R = 2^ and M > RN. We will require a supply of [log(M/iV)J + 

^Notice that both the inputs M and j are preserved and thus quantum circuits for this map can be 
generated from classical multiplication circuits using Lemma 1 - no division circuits are necessary. 
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1 clean bits in an auxiliary register and 0(n) -bit approximations to the decimals 1/iV, N/M, 
and M/N. In particular, our input will be of the form 

\cm\a) 

where \C) is a control register containing these approximation and a copy of our modulus 
N. Our output will be a superposition which is close to 

\C)\&)\ri) 

for some \r]), where \a) denotes the QFT over of \a). 
Algorithm 3. Input: \C)\0)\a) 

1. QFT over {Z2Y: 

2. Repeat \a) R-times: 



|iV,l/7V)^^K)|a) = \NMN)Y,^\i)Y.^i\j) 

i<R i<R j<N 

\N,1/N) + 

j<N,i<R 

|iV,l/iV)|/3). 



3. QFT over Zm, 



^. Division by M/N : 

\3)^m) 
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where j = Ijfi] + 1 and ~2JV — * ^ 27v- 



The correctness of the algorithm is a consequence of the fact that for a typical 
remainder t, the subvector indexed by integers of the form [^^1 + 1 (and renormalized to 
unit length) is close to the desired \a). It is worth noting that if M = RN this is exactly 
true - the only remainder with any amplitude is zero and the subvector at integers is 
exactly \a). More generally the approximation follows from Theorem 10, which yields the 
following Corollary. 

Corollary 1. Let |C)|7) be the output of the above algorithm. Then there is a superposition 
1 77) so that 



In order to achieve a QFT which is accurate to within e, then, it suffices to take 



5.1.1 Size and Depth Analysis 

We now return to Circuit 5.1 and analyse its size and depth requirements, restrict- 
ing our analysis to the situation where e is an inverse polynomial. First, since we are free to 
choose M to be a power of 2, the QFT at step 3 can be implemented by the parallel circuits 
of Chapter 4. Also note that the bounds from Corollary 1 show that we can take M to have 
only n + 0(logn) bits. The subcircuit for this transform thus has size and depth 0(n log n) 
and O(logn) respectively with constants approaching those of the parallel circuits over 2" 



Ill7)-I«)l^)ll< 



4RN 81ogA^ 




itself. 
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We now turn to the two multiplication procedures sandwiching the transform. 
Step 2 involves the multiplication of integers less than R by our n-bit modulus A'' and its 
inverse 1/N. But R can be chosen to have only logn-bits. In this case classical "grade 
school" multiplication techniques combined with carry-save adders are more efficient than 
FFT related techniques and their translation to the quantum setting yields circuits of size 
and depth 0(n log n) and O(logn) respectively. The fact that R can be taken to have only 
logn bits is a consequence of the circulant analysis of Section 9.2.4. 

The bottleneck in Algorithm 3 is the final step where we divide by the n-bit 
approximation by M/N . In other words we run Circuit 1.7 on inputs M/N, N/M in reverse. 
Since we choose M to be a power of 2 this is equivalent in complexity to multiplication by N 
and 1/N. We note that if there is a special technique for quickly multiplying and dividing 
by our modulus A'' the circuit size and depth can be improved. For instance, if A'' = c'" 
is a constant power then we can perform reversible multiplication with a circuit of size 
0(n log n) and depth O(logn). This gives us an algorithm which matches the asymptotic 
size and depth of the QFT over a power of 2. Of course, a circuit for the QFT over a 
modulus of this form could also be constructed directly in analogy with the power of 2 case 
and would achieve similar asymptotic size and depth. We conjecture that by just changing 
the multiplication technique used in Step 4 to suit the particular modulus N our circuits 
can always be made asymptotically optimal. 

We emphasize that the only reversible multiplication is by the modulus and its 
inverse, not between arbitrary n-bit integers. The inverse can thus be prepared classically 
and we can make use of Circuit 1.7. This allows us to avoid the problem of optimizing 
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the simultaneous size and depth of division circuits - see the discussion at the end of 
Section 1.5.1. This is another clear benefit of our technique over earlier approaches. We 
note that there appears to be a close relationship between the complexity of approximating 
the QFT over and reversible multiplication by A'^. Our algorithm shows that, with 
low (0(n log n)) overhead, approximate circuits for reversible multiplication by N lead to 
circuits for approximating the QFT over Zn . On the other hand one can show that, 
with similar overhead, circuits approximating the QFT over ZjV2" can be converted to 
approximate circuits for reversible multiplication by N. Unfortunately this relationship 
does not lead to a faster-than-classical quantum multiplication algorithm, the "tantalizing" 
question posed by Shor[32]. 

5.2 Fourier Sampling 

In many quantum algorithms (see [6, 32, 7, 33]), including the Hidden Subgroup 
Algorithm 2, the QFT occurs as the final quantum step and a measurement of the super- 
position immediately follows. We refer to this procedure as Fourier sampling [6]. Suppose 
that we wish to sample from 1*10;), the distribution induced by measuring \a) = Ff^\a), for 
some given N and \a). In this situation since we need only insure that the distribution 
we sample from is e-close to - we need not worry about the phases of the amplitudes 
in the final superposition. This simplifies the computation of the previous Section in two 
ways. 

First, we can reduce the size of the QFT, Fm, which appears as a subroutine in 
our circuit. In particular we can choose M to be any integer at least RN as opposed to 
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requiring as in the previous algorithm. This is because we are now lumping 

together the probabilities of all outputs of the form j = [^i] + t for —j^ <t< 5^ - we are 
no longer concerned with the individual superpositions corresponding to a fixed remainder 
t or with phases of our amplitudes. 

Second, and more significantly, we can reduce the asymptotic size and depth of 
the quantum circuits by measuring immediately after Fm and performing the final division 
classically. This reduces the quantum circuit size and depth to 0(n log n) and O(logn) 
respectively. 



IN,1/N> 
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Figure 5.2: Fourier Sampling over Z^. 



Algorithm 4. Input: \N,1/N)\0)\a) 



1. QFTover{Z2Y: 



|0)|a)^^^|i)|a) 



2. Repeat \a) R-times: 
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\N,l/N)Y,^\i)\a) = \N,l/N)^^\i)Y,c^j\j) 

\N,1/N) J2 -^<^j\j + im 



j<N,i<R 

\NMNm. 



3. QFToverZu, 



4- Measure 

5. (Classical) Divide \ j) by M/N to output i such that j = [^i] +t for <t< 

Let be the distribution on {0, (iV — 1)} induced by measuring \a) and let 
V be the distribution induced by Algorithm 4. Corollary 1 from the previous section could 
be used to prove that these distributions are close for sufficiently large R and M » RN. 
However, we use Theorem 11 to show that this is still true for any M > RN. In particular, 
the following Corollary is a direct application of this Theorem. 

Corollary 2. 

8 log AT 



Vr 



5.3 Fourier Sampling and The Hidden Subgroup Problem 
over Z 

In the previous section we gave a procedure which, given N and \a) = X]i<iv "^iK) 
as input, sampled from the 'D^^'^, the distribution induced by measuring |q:) = FnIo). This 
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procedure is the basis for the finite Abelian hidden subgroup algorithm, of which Shor's 
Discrete Log algorithm is a special case. We now give a procedure for the hidden subgroup 
problem over Z. The procedure itself is essentially identical to the quantum portion of 
Shor's algorithm, but we give a more general analysis. 

Suppose we have the ability to generate arbitrarily long repetitions of some fixed 
superposition |a) = X^j<jv that is, superpositions of the form X]i<M "^(i mod N)\>)-, but 
that |a) and N are themselves unknown. Let V^^yjq be the distribution on fractions with 
denominator N and numerators distributed according to T^\a)- The following algorithm 
allows us to sample from a distribution which is arbitrarily close to I'|a)/Ar- 

Algorithm 5. Input: Y,i<M(^{i mod at) K) 

1. QFT over Zm 

2. Measure 

3. ( Classical) Divide the result by M, and use the continued fractions method to round to 
the nearest fraction with denominator less than T , where T is a known upper hound 
on N. 

In particular, if T> is the distribution on fractions with denominator less than T 
output by our algorithm, then we have the following Lemma, whose proof appears in Section 



5.3.L 



Lemma 3. 
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To make these distributions e-close, then, it suffices to take M = Q ( j^ . It 

is important to notice that even sampling exactly from V^^y^ does not immediately give 
us access to the distribution or to the value N because the fractions obtained are in 
reduced form. 

We now use this algorithm to solve the Hidden Subgroup problem over Z. Recall 
that we are given a function / defined on G which is both constant and distinct on the 
cosets of an unknown subgroup H < G. The goal is to determine H. In the case of G = Z, 
H must be a cyclic subgroup generated by some element N of Z, i.e. H = {N). The 
function / can be equivalently described as a function with period N which is one-to-one 
within each period. Determining the subgroup H is equivalent to determining this period. 

Given an upper bound T on N we can easily create the superposition J2i<M K) 
where M = (T^ log^ T log^ log T) is a power of 2. Using this as input to the above algo- 
rithm we can sample from a distribution very close to ^?|q)/7v where |a) = Yli<N 
Now, ^i^i^ is uniform on {0, . . . , AT — 1} - this follows easily from the fact that / is one-to-one 
within its period - and thus X'|Q)/Ar is uniform on fractions with denominator N. 

We test the denominator of each fraction output by our procedure to see if it is 
the period by evaluating the function at a pair of values. This will allow us to correctly 
discard all denominators less than A'". We then accept the smallest value which passes our 
test. This procedure correctly recovers N as long as it actually appeared as a denominator, 
i.e. as long as we sampled a fraction with denominator and numerator relatively prime 
to N. Such numerators constitute a c/logn fraction of the set {0, . . . ,N — 1}, for some 
constant c. By our choice of M this set must constitute a similarly sized fraction of the 
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distribution output by our algorithm and by sampling 0{nlogn) times such a numerator 
will occur with exponentially high probability.. 

5.3.1 Proof of Lemma 3 

We can analyse the distribution output by Algorithm 5 on input '^Zikm ^(i mod N) K) 
and parameter T > N hy comparison with the action of Algorithm 4 on a specially con- 
structed input. In particular, let |a) be the superposition |a) repeated T-times, i.e. 

j<Ti<N 

We look at the distribution output by Algorithm 4 on input 

\TN)\0)\a) 

and parameters R = [^J and M. By Corollary 2 this distribution is close to Vp^^^^) for 
an appropriate choice of M. Moreover, since the amplitude of Ftn\oi) at Ti is identical to 
the amplitude of \a) = Fj<^\a) at i, Vp^^^^^^ is just distributed over multiples Ti of T. 

Now, it is not hard to see that the input to the QFT over Zm when Algorithm 4 
is run on input |rA^)|0)|Q;) and the above parameters is very close to the input to the QFT 
over Zm in Algorithm 5. Thus the distribution of outputs from Step 4 of Algorithm 4 on 

\TN)ma) 

is exponentially close to the distribution of outputs from Step 2 of Algorithm 5. By the pre- 
vious paragraph we need merely insure that an output interpreted by the former algorithm 
as Ti is interpreted in the latter case as i/N. An output k which the former algorithm 
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rounded to Ti must have satisfied 



k 



M 
TN' 



Ti 



< 



M 
2fN' 



(5.1) 



Algorithm 5 divides this same khy M and uses the continued fraction method to 
round to the nearest fraction with denominator less than T. Dividing Equation 5.1 by M 
yields 



k i 
M~ N 



< 



2TN' 



(5.2) 



which implies that must be this nearest fraction given by the continued fractions proce- 
dure, as desired. 

This distance between V and 'D^^yj^ is thus given by 



81ogA^ 



+ 



TN 



= O 



TlogT 



^M/TN M-TN \ VM 
where the first term in the sum comes from the error in Algorithm 4 and the second from 
the distance between the inputs to the QFT's in Algorithms 4 and 5 respectively. 
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Chapter 6 

A Relaxation of the Abelian 
Hidden Subgroup Problem 

Recall the hidden subgroup problem introduced in Section 2.2. We are given oracle 
access to a function Jh defined on a group G and constant on cosets of some unknown 
subgroup H < G. The challenge is to find a set of generators of H. The standard hidden 
subgroup problem assumes further that fn is distinct on distinct cosets of H. This standard 
version can be solved efficiently on a quantum computer, that is in time polynomial in 
n = log \G/H\, whenever G is a finitely generated Abelian group([21]). 

The related problem which relaxes the requirement that /h be distinct on distinct 
cosets of H was first addressed in [7] and later in [24] . We shall refer to this as the relaxed 
hidden subgroup problem. Both [7] and [24] give algorithms which partially solve the relaxed 
hidden subgroup problem, with the former addressing just the case G = Z and the latter 
the general problem for finitely generated Abelian G. However, in both results the coset 
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distinctness requirement is changed only slightly. In particular, the function fn is allowed 
to map m cosets to one, but m must be both polynomial in n and smaller than the smallest 
prime divisor of Notice that for some groups, such as G = 0^ Z2, this amounts to no 
relaxation at all. 

As noted in [24], however, some restriction must be placed on the behavior of the 
function fn, since, once the distinctness requirement is dropped, there are functions Jh and 
fx ioT K ^ H which differ on an exponentially small fraction of their inputs. Using existing 
lower bound techniques based on the unitary evolution of quantum computation we should 
expect that such functions require exponentially many queries, and thus exponential-time, 
to distinguish. 

We solve the relaxed hidden subgroup problem for finitely generated Abelian 
groups. In particular, we define a stratification of the functions fn into classes, then give a 
tight characterization of which classes have polynomial-time algorithms by exhibiting both 
an algorithm and a lower bound for each class. These results generalize and simplify our 
earlier work on many-to-one periodic functions presented in [17], and use in a crucial way 
the Fourier sampling procedures of Sections 5.2 and 5.3. 

6.1 Definitions and Main Theorems 

Throughout our discussion fn will denote a function defined on a finitely generated 
Abelian group G and constant on cosets of the subgroup H < G. Notice that for any K < H 
fn induces a well-defined function on G/K which we denote fn/K- We define the input 
length of the hidden subgroup problem given by the function fn on G to be n = |^log jG/iJj] . 
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and assume without loss of generality that the range of fn is contained in the set {0, 1}". 
Let D be the generahzed Hamming metric on the functions fn- 

Definition 3. 

is the fraction of elements in the group G for which fnix) 7^ fxix). 

In other words, fn and fx are e-close under D if they disagree on at most an e 
fraction of the elements of 

Using this metric we stratify our functions into classes in the following manner: 

Definition 4. For any function d{n) let 

Ci/d{n) = {fHl'^fK With K^H, TtifnjK) > l/din)}. 

We think of the function fn as a codeword for the subgroup H. The class Ci/(i(„) 
is then a code with minimum distance l/d{n). Our results show that there is an efficient 
quantum decoding procedure for Ci /^{n) if and only if d{n) is a polynomial. 

More formally we will prove the following two theorems: 

Theorem 4. Given any polynomial d{n) there is an efficient quantum algorithm A? which, 

given any finitely generated Abelian G and fn € (^1/^(71); outputs the generators of H with 

exponentially high probability. 

careful reader should object at this point that this definition only really makes sense when G is a 
finite group. Wc take the distance between /h and /k defined on an infinite G to be the distance between 
the induced functions fH/(HnK) and fK/(HnK) which are defined on the finite group G/{H n K). 

^Throughout the paper we will assume that A has a blackbox subroutine for computing values of / 
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Theorem 5. Let d{n) = o(2") be given. Suppose that A is a quantum algorithm which 
correctly computes generators of H from any fn £ C'i/d(n) '"^^^^ probability at least 3/4. 
Then A has worst-case run-time d{n)) . 

Our algorithm uses the same quantum subroutine as the standard hidden subgroup 
problem - namely Fourier Sampling. The relaxed problem requires more repetitions of this 
quantum subroutine and, in the case of G = Z, a more elaborate classical post-processing. 

The lower bound is proved in the special case where G = Z and thus the hidden 
subgroup function is periodic on Z and potentially many-to-one within each period. The 
proof is a slight variation - allowing for the periodic structure of / - on the standard lower 
bound technique of [5]. This is sufficient to establish the polynomial vs. superpolynomial 
gap which is our primary concern. It is likely that the more sophisticated techniques of [1] 
could be used to improve this lower bound. 

6.2 Finite Abelian G 

We first solve the special case of the relaxed hidden subgroup problem where the 
underlying group G is finite Abelian. Section 6.4 addresses the case G = Z and shows how 
to combine these to give an algorithm which works for any finitely generated Abelian group. 

As in our discussion of the standard hidden subgroup problem we assume that 
the group G is given to us as a direct product j<„ Zp^ . More concretely, the input to 
our quantum algorithm is the list (pi, ■ ■ ■ ,Pk) and our function fn is defined on the set 
©i<n ^Pi ■ standard hidden subgroup problem there is a quantum procedure which 

produces such a description under very general conditions [8] 
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Algorithm 6. 1. Prepare 

W) = XI \^)\fH{x)). 

xeG 

2. Sample from ^^FqIo) where 

FG\a) = Y,mx)\fHix)). 

x£G 

Repeat this procedure O, (n^d^(n)) times obtaining outputs yi. Solve the corre- 
sponding system of equations yi -g x and output this solution. 

As mentioned previously, our quantum subroutine is identical to that of the stan- 
dard case but we must increase the number of samples by a factor of dP{n). As before, 
the correctness of this algorithm is equivalent to the condition that the samples yi generate 
the subgroup H-^. We first note that, as in the standard case, the distribution I'Fgia) is 
supported on this subgroup. The argument given in the standard case (see Section 2.3) 
hinges on the fact that for any h e H 

\a) = J2mH{x)) 

xeG 

and 

\h*a) = \h) * \a) = ^\h + x)\fH{x)) 

are identical, which remains true in the relaxed problem as well. 

In order to establish the correctness of the algorithm we need further that the 
outputs generate H-^ with high probability. Recall that in the standard case we used the 
fact that the distribution was uniform on to argue that O(n^) samples must generate 
this subgroup with high probability. Uniformity no longer holds in the relaxed case. Instead 
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we substitute the following property which limits the probability that our samples remain 
trapped in some proper subgroup of H^: 

Lemma 4. Suppose that fn £ (^1/^(71) • Then for every proper subgroup K < , if y is 
chosen according to 'Dp^^^^ 

Pr{yeK) < 1-1/A(f{n). 

This lemma, proved in Section 6.2.1, is the main technical result of this Chapter. 
The correctness of the algorithm follows from the Lemma by an argument similar to that 
of the standard case. In particular, in order for our outputs to generate they must lie 
outside of any proper subgroup K of H^. There are at most 2"^ such subgroups, since each 
is determined by a set of at most n generators and 



\G/H\ < T 



The probability that there exists a proper subgroup of B.^ containing all our outputs is 
therefore upper bounded by the quantity 



2"' (1- 1/4(^2 (n))* 

where t is the number of repetitions of the quantum subroutine. Thus if we choose t = 
$1 (n^(i^(n)) the outputs will generate with high probability. 

6.2.1 Proof of the Reconstruction Lemma 

We prove a reformulation of Lemma 4 which replaces the quantification over sub- 
groups of with the quantification over subgroups of R^ which are themselves "perps" . 
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Since H = {H-^)'^ all subgroups are of this form and the content of the lemma is un- 
changed. We first sketch how to establish that H = (if-*-)"*", then proceed to the proof 
of the reformulated lemma. Notice that it follows trivially form the definition of that 
Since H is finite it then suffices to show that = (-ff"*") which follows 
from \G/K\ = \K-^\ for all subgroups K. This last equality can be proved by showing that 
the QFT over G maps a subspace of dimension \G/K\ to one of dimension l^^"*"! and using 
the fact that the QFT is unitary. 

Lemma 4. Suppose that fn £ C'i/d(n)- Then for every proper subgroup of , if y is 
chosen according to ^^Fda) then 



Pr (yeK^^ <1- 1/4^2 (n) 



Proof. We give a proof by contradiction. Suppose there exists a K-^ which violates the 
lemma. We reconstruct a function fx with 

Ti{fH,fK)<l/d{n), 

This contradicts the assumption fn £ (^1/^(71)) since if is a proper subgroup of then 
K ^H. 

We first note that for any g & G the amplitudes of Fg\c() Fg\9*C() at x are related 
by the phase 0;^'°^. Thus for any k e K the amplitudes of -Fb|a) and FG\k*a) are identical 
at elements of K^. Moreover by our assumption, when y is chosen according to Vp^^^'^, 

Pr [y e K^^ > 1 - l/4d2(n), 

and thus the superpositions Fola) and Folk * a) are heavily supported on this subgroup 
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K^. The superpositions must therefore be close. In particular, 

{FG\a),FG\k*a)) > ^/l - l/4d^in). 
This implies the same lower bound for the inner product 

{\a),\k*a)), 

indicating that the vectors |Q;)and \k * a) also have almost the same direction. This can 
only be the case if they agree on most of their coordinates. In particular, if c is the fraction 
of X for which fH{x) = fnix +g k), then 

(|a), \k*a)) = Vc> - l/4d2(n). 

In other words, for every k e K at least a 1 — 1/ 4cf (n) fraction of the x e G satisfy 

Mx) = Mx + k). (6.1) 

We now define our new function fx which is constant on cosets of K but still close 
to fn- For each coset xK we define fx to be uniformly equal to the majority value of /h 
on xK, if one exists, and uniformly equal to otherwise. Clearly fx is constant on cosets 
of K but it remains to show that 

D(/H,/x)<lMn) 

in order to obtain a contradiction. But by (6.1) together with a standard averaging argument 
we have that for at least a 1 — l/2d{n) fraction of the cosets xK, fn is constant on a 
1 — l/2d{n) fraction of the coset. This implies that 

^{fnjK) < l/2d{n) + l/2d{n) = l/d{n), 

as desired. □ 
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6.3 The Relaxed Hidden Subgroup Problem over Z 

We now give an algorithm for the relaxed hidden subgroup problem over G = Z. 
Let jii be defined on Z and constant on cosets of H < Z. In this case H must be generated 
by some N E Z and we refer to fn as /{at}- /(at) is equivalently a periodic function with 
period A'^. In this relaxed problem /^jv) may not be distinct on distinct cosets, in other words 
the function is potentially many-to-one within each period. The distinctness requirement 
is replaced with the assumption that /^jv) £ C'i/d(n) some polynomial d{n). 

Let 

i<N 

and \a) = -F/v|a) be the superposition obtained by performing the QFT over Zn of the first 
register of \a). We first note that the restriction of /^jv) to the set {0, 1, . . . , A/" — 1} is the 
function induced by /^jv> on Zj {N) . It is easy to see that this induced function is still in 
Ci/d(n) but now encodes the trivial subgroup (0). By the results of Section 6.2 if we sample 
from Q.{n'^cP{n)) times we will almost surely obtain a set {yi} generating (O)-*- = Zpf, 
that is, a set {yi} satisfying gcd{yi, . . . ,yk,N) = 1 

While we cannot create the superposition \a), we can create arbitrarily long rep- 
etitions of I a) by evaluating fn on some interval. The Fourier sampling procedure of 
Section 5.3. then allows us to sample from a distribution exponentially close to I'|a)/jv, 
the distribution on fractions with denominator N and numerators distributed according 
to I'la)- We can thus assume we are sampling exactly from the distribution V^^yjq, and 
by the above paragraph after r2(n^(i^(n)) samples the numerators of the fractions satisfy 
gcd{yi, . . . ,yk, N) = 1 with exponentially high probability. By taking the least common 
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multiple of all denominators we recover the desired N. 

6.4 Finitely Generated Abelian G 

The finitely generated case can be reduced to the finite case by restricting /h to 
each of the infinite cyclic components of G and using the algorithm of the previous section 
to find the periods of these restricted functions. More formally, given a description 

{pi,...,Pk,m) 

of the group 

\i<n / \i<m / 

by finding the periods Ni of the restriction of fn to each of the m copies of Z we obtain 
a finite Abelian G' = (0j<„ -Zp.) + (0j<f„ Z^^) so that the restriction of our function fn 
to G' now encodes a subgroup H' < G' and is still in Ci/rf(„). Moreover the generators of 
H are precisely the generators of H' together with the periods iVj. This accomplishes the 
desired reduction. 

6.5 Proof of Lower Bound, Theorem 5 

We need the following definition and theorem from [5]. Theorem 6 expresses the 
fact that if a quantum algorithm makes few queries to an oracle function there must be 
values of that function which have been hardly examined and thus can be changed without 
significantly changing the algorithm's behavior. Its proof combines the unitary evolution of 
quantum computation with a hybrid argument. 
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Definition 5. [5j Let \(f>i) be the superposition of on input x at time i. We denote by 
Qyil'Pi)) ihe sum of squared magnitudes in \(pi) of configurations of M which are querying 
the oracle on string y. 

Theorem 6. [5] Let \<^i) be the superposition of on input x at time i. Let e > 0. Let 

5 C [0, r — 1] X be a set of time-strings pairs such that Y^{iy)^s'iyi\^i)) — T- ^ow 
suppose the answer to each query {i,y) E S is modified to some arbitrary fixed ai^y (these 
answers need not be consistent with an oracle). Let 10^) be the time i superposition of A on 
input X with oracle answers modified as stated above. Then \\\4>i) — Wi)\\ ^ ^■ 

In our case we wish to use Theorem 6 to show that if a quantum algorithm com- 
putes with constant probabiUty the period N of any / G C'i/(^(„) defined on G = Z then 
it must make at least fi(-y/d(n)) queries to the function's values. To this end we first look 
at the algorithm's behavior when f{x) = for all x (Note that the all-zeroes function is in 
every class Ci/d{n))- 

We wish to use this behavior to generate a function g G C^/^^^) which has period 
greater than 1 and which the algorithm cannot distinguish from the all-zeroes function 
without making lots of queries. This is similar to earlier applications of Theorem 6 but 
with the added complication that g must be periodic and at least l/d{n) away from any 
function of smaller period. We ensure periodicity by first deciding on the period N oi g and 
then changing the value of the function simultaneously on all points of the form x + kN. 
We show that the latter complication can be resolved by choosing g to have prime period 
and to be sufficiently different from the all-zeroes function. 

Proof. (Proof of Theorem 5) Given A^ computing the period of any function in Ci/(i{n) i^i 
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time r, we initially examine A° where o denotes the all-zero function. 

Fix a prime N such that y/d{n) < iV < 2". For < x < let 

5^ = [0,r-l] X {y\y = x + kN}. 

The average value of Yl{iy)eSx 'N least 1/2 of the sets Sx satisfy 

<lym)<'2^- (6-2) 

Let U be any set of 'iN/y/'din) x which satisfy (6.2). We let our new function g 

satisfy g{x + kN) = 1 for x G f7 and g{x) = o{x) = otherwise. Note that g{x) has period 
our chosen prime N and that D{o,g) > 3/^/d{n). 

Furthermore, let Su = Uxec/ '^x C [0, T — 1] x E*. Then 

and we can take the e of Theorem 6 to be -r^=. Thus in order for our algorithm A to 
distinguish between the all-zeros function o and our new period- A/" function g with constant 
probability, A must have worst-case run-time fl{-^d{n)). 

To prove our theorem, however, we need to verify that our function g is actually 
in Ci/(i(„). We need the following claim whose simple proof is in the next section. 

Claim 1. For any periodic functions f and g with periods Nf and Ng respectively, if 
-^(/) 5) < £^ < 1/16 then there is a function h with period = gcd{Nf, Ng) and D(h, g) < 
3e. 

Think of the g in the claim as being our g constructed above. We need to argue that 
there are no functions of smaller period within l/d{n) of g. By our claim if such a function 
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/ existed then there would be a function h with period A^^^^ = gcd{Nf,Ng) = 1 (since the 
period of 5 is a prime) and D{h,g) < 2>/^/d{n). But g and the all-zeroes function, which is 
the only plausible candidate for h, have distance at least 3/^/d{n), a contradiction. □ 

6.5.1 Proof of Claim 1 

Proof. Let Nh = gcd{Nf,Ng). Fix k and / such that INf - kNg = Nh- We will define a 
function h which is constant on flights of the form [x + kN^] = {x,x + Nfi,x + 2Nh, ...) and 
within 3e of g. Since D{f, g) < e^, with probability at least 1 — e when we choose a random 
flight [x + kNfi] at least a 1 — e fraction of points y in that flight will satisfy /(y) = g{y)- 
For such a "good" flight, choose y and z independently at random in the flight and let j 
satisfy jN^ = y — z. Then the point w = y + jkNg = z + jlNf is uniformly distributed 
over the flight. Thus f{z) = f{w) = g{w) = g{y) with probability at least 1 — e. Putting 
these two facts together we get that when y and z are chosen at random in a "good" flight, 
g{y) = g{z) with probability at least 1 — 2e. Using the fact that e < 1/4, this implies that 
at least a 1 — 2e fraction of points in the flight share the same g value. We let the value of 
h on all points in the flight be this overwhelming g value, and for "bad" flights we define h 
to be uniformly 0. Then it follows that D{g, h) < 2e + e = 3e, as claimed. □ 
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Chapter 7 

Hidden Subgroups over the Reals 

We now expand the ideas of the previous section to show how to find the period of 
certain periodic functions defined on the reals, effectively solving the hidden cyclic subgroup 
problem over < 3?, + >. This generalizes a recent result of [18] which gives a quantum 
algorithm finding the period of a subclass of these periodic functions sufficient to yield 
a polynomial-time quantum solution to Pell's equation. Solving Pell's equation has been 
shown to be at least as hard as factoring but no reduction in the opposite direction exists. 
In Chapter 8 we give evidence in a relativized setting that period-finding over the reals is in 
fact harder than over the integers. In particular, we show that the problem over the reals 
lies outside of the complexity class MA, a complexity class which contains the analogous 
problem over the integers. 

Throughout our discussion / will denote a piecewise continuous function from 
3fi — > [0, 1] with period p. Our quantum machine is allowed oracle access to approximate 
versions of /. In particular, on call the oracle xors the first t-bits of f{i/j), 
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denoted ft{i/j), into the last register, returning \i)\j)\t)\ft{i/j))- 

The input length of / is (n, k) ii p < 2" and the n-bit approximating step function 
fn has average step interval at least 1/2*^, where the average step interval is defined to be 
the ratio of the period p to the number of step intervals in that period. We define a metric 
on these functions which is the continuous analog of Definition 3, Section 6.1. 

Definition 6. Let if,g{x) = 1 whenever \ f{x) — g{x)\ > 2"" and otherwise. Then 

1 /•* 

D(/,5) = lim - / if,g{x)dx. 

Just as in the case of functions defined on Z (Definition 4, Section 6.1) we use this 
metric to stratify the functions into classes. Again, if we think of / as an encoding of its 
period p then the class Ci/^(^n) is a code with minimum distance l/d{n). If / G Ci/rf(„) then 
in order to reduce its encoded period one needs to change at least a l/d(n) "fraction" of 
its values by at least 1/2". In other words, / encodes its period l/(i(n)-unambiguously and 
does so using just n-bits of output. 

Definition 7. 

Ci/d{n) = ifPg < Pf then T>{f,g) > l/d{n)} 

We can now state the main theorem of this section: 

Theorem 7. For any polynomial d{n) there is a quantum algorithm A which generates 
the first m-hits of the period of any f G Ci/^(^n) exponentially high probability in time 
poly{n, k, m). 

That the condition / G (^1/^(71) for d{n) a polynomial is necessary for an effi- 
cient quantum algorithm to exist follows almost immediately from the lower bound result 
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(Theorem 5) of Chapter 6 - after interpreting functions on Z with integral period as step 
functions on 3ft with step interval 1 in some canonical way, all that remains is to check that 
the respective definitions of Cxid{n) do in fact coincide. 

7.1 Overview 

Before we give a summary of the procedure we note that it is sufficient to give an 
algorithm in the restricted case where the given function / is a step function with n-bit 
range, i.e. / = /„, and has average step interval > 1. The first m bits of the period of an 
arbitrary / G Cxjd^n) of input length (n, fc) can then be found by running this algorithm 
to find the first m bits of the period of the function fn{x/2^) G Ciid(n) C C'i/(i(„+fc) which 
satisfies these restrictions and has input length (n + k,l). We will thus assume without loss 
of generality that our function / has n-bit range and average step interval > 1. 

The quantum portion of the algorithm is just Fourier Sampling, in this case sam- 
pling from the distribution induced by measuring Fmn {Y^i^±MM. ^r some 
M, A'^. The tricky part lies in showing that M and N can be chosen simultaneously to yield 
the desired information about the period. Suppose we fix M and choose N » M. Then it 
is easy to see that evaluating the functions f{j^) and /(-j-^j) on the interval [i'^^] results 
in exponentially close superpositions (Lemma 6) . This is useful because the latter function 
has integral period [Np] (easy to see) and is in Ci/2d{n) when regarded as a function on the 
integers (Lemma 7). This allows us to use the results of the previous chapter to analyze 
the distribution output by the Fourier sampling procedure. 

In particular, suppose by some fortuitous luck that [Np] actually divides MN. 
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Then we know that the the Fourier samphng procedure always outputs integers of the form 
ki = and that gcd{ji, . . . ,jt, [Np\) = 1^ is satisfied with high probabihty after just 

0{n^(f{n)) samples. This would allow us to reconstruct [Np] just by taking the Icm of the 
denominators of the fractions 

Now, dropping the improbable assumption that [Np] divides MN, we can use 
Corollary 2, Section 5.2 to conclude that if MN >> Nplog^{Np) then we will sample 
approximations ki to the fractions ^^^j where the approximations satisfy 



jiMN 



[Np] 

and the ji are distributed as described in the previous paragraph. The requirement MN » 
Nplog^{Np) is still compatible with choosing A?^ >> M, so if we could just reconstruct the 
fractions ^^^^ from the approximations ki we would be done. 

Unfortunately, reconstructing the -j-^ from the using the continued fractions 
method requires a tighter bound than Equation 7.1 provides - the fractions would need to 
be within 2iNp-]'^ each, other. Previous results obtain this tighter bound by evaluating the 
function past the square of its period - see for example Algorithm 5, Section 5.3. This is 
not an option for us since it would entail choosing MN » {Np)'^log^{Np), incompatible 
with our initial assumption of N » M. We bypass this problem in the following manner. 
First we argue (Lemma 5) that the approximations ki output by our procedure are actually 
very small in absolute value. In particular, rather than ranging out to the maximal possible 
with exponentially high probability they are within ±0(2^"M), regardless of our 

choice of N. This implies that the ji are within ±0(2^"). We can then use continued 

^Actually in the end we will require, and show, that in this case the stronger condition gcd{j\, . . . ,jt) = 1 
is satisfied. 
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fractions to round the ratio ki / km of any pair of outputs of the Fourier samphng procedure 
to the nearest fraction with denominator less than 2^" and this modified continued fractions 
procedure terminates correctly, yielding ji/jm with the correct distribution, as long as 
M = $7(2^^" log^(MiV)). We can thus reconstruct j'l by taking the Icm of the numerators 
fractions ji/ji for sufficiently many i. Finally, as long as M = J7(2"*2^^" log^(MiV)), the 
leading m bits of Mj\/k\ coincide with p's and we can output them as our final answer. 

7.2 The Algorithm 

Choose M = 0, (2"^2^^'" log^ MN) axvdN = 9. (2'^"M) , both powers of two. 
Algorithm 7. Fourier Sampling over 3? 

1. Generate input superposition 

E K)i/(Viv))- 

2. Fourier Sample over Zmn 

Repeat this quantum subroutine 0{n?(P{n)) -times. Discard any sample which is less than 
2m^0n let {ki} denote the remaining valid samples. 

• (Classical) Use the continued fractions method to round each fraction k\/ki to the 
closest fraction with denominator less than 2^" . 

• ( Classical) Let ji be the least common multiple of the numerators of these fractions. 
Output the leading m bits of Mji / ki . 
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It suffices to sfiow tliat tfie outputs {ki} from the quantum subroutine satisfy 



jjMN 
[Np] 



O 




) 



(7.2) 



for integers ji < 2^" satisfying gcd{ji) = 1. This bound imphes \ki/ki — is at most 

1/2^'* and thus the continued fractions procedure correctly delivers each fraction ji/ji. Since 
the ji are relatively prime, ji will be the least common multiple of their numerators. And, 



the first m bits of p. 

We proceed to show that the statement involving Equation 7.2 is true with expo- 
nentially high probability via the following three lemmas, proved in Sections 7.2.1 and 7.2.2. 
The first is used to establish that the ji are small. The second and third allow us to use 
previous results about functions with integral period to understand the distribution of the 
ji and the quality of the approximations fcj. In each of these lemmas we assume that / has 
minimal, as opposed to average, step size at least 1. But it is easy to show that given any / 
with average step size at least 1, the function /(x2~") is exponentially close to a function 
with period 2"p and minimal step-size 1. Thus this assumption entails only a constant 
factor penalty in the run-time of the algorithm. 

Lemma 5. Let f be an integral-valued step function on K with minimal step size > 1. Let 
Vmn be the distribution on the integers in ±MiV/2 induced by sampling 



finally, ki will be sufficiently close to jiM/p, that is, within M/2' 



, to correctly deliver 




Then for all k dividing N 



PrxeVMN (1^1 > k^M) = 0{l/k). 



Lemma 6. Let f be an integral-valued step function on ^ with minimal step size > 1 and 
period p. Then for any i G Jft 



1 



MN 



\Np 



Lemma 7. Let f G Ci/£;(„) be an integral-valued step function on K with minimal step size 
> 1 and period p < 2". Then any rescaling of f , f{ax) which has integral period at least 
4:d{n)p is in Ci/2d{n) when restricted to Z (See Definition 4 Section 6.1). 

By Lemma 5, with exponentially high probability our samples ki are at most 2^"M, 
and thus the ji are at most 2^"p < 2^". By Lemma 6 and our choice oi N = Q. (2^"'M) we 
can assume that we are Fourier sampling, not our given function, but instead the function 
f{pi/YNp~\) which has integral period [iVp]. By Lemma 7 this function is in Ci/2d(n) 
when restricted to Z. Thus by the results of Section 6.3, after just Q.{n^dP{n)) samples 
with exponentially high probability we have approximations to fractions jiMN /yNp~\ with 
gcd{ji, [Np]) = 1. In this case we need further that gcd{ji) = 1. If this was not true there 
would be some common divisor d < 2"^", our bound on the ji. Choose r < 2^" so that 
d divides Np + r. Then by using Lemma 6 and our choice of AT a second time with the 
function f{pi/Np-\-r) we get that the ji also satisfy gcd{ji,Np + r) = 1 with exponentially 
high probability, a contradiction. 

Finally, we need to ensure that the ki satisfy 



ki 



jiMN 



[Np-] 



O 



M 



Again we assume we are Fourier Sampling the function fipi/[Np]) over Zmn- If L-^^*! di- 
vided MN we would be done - the ki would exactly equal the desired fractions. In general we 
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can apply the Fourier sampling results from Section 5.2. By measuring FMNiJ2i^±MN. K) 1/(0)) 
and rounding to the nearest multiple of MN/ k [Np] we approximate the distribution gotten 
by Fourier sampling f{pi/[Np]) over k[Np], i.e. the desired distribution. These distribu- 
tions are exponentially close as long as the number of repetitions MN/k[Np\ of this initial 
superposition (this ratio corresponds to the R in Corollary 2, Section 5.2 with k[Np] corre- 
sponding to A^) is n (2" log^ {k [Np\ )) . Since the ratio MN/ k \_Np\ is also the approximation 
error we must have MN/k[Np] = Q (2'^ \og^{klNp])) = 0{M/T^2^^'') which holds by our 
choice of M = O (2"2i^" log^ MN). 

We note that without the results of Chapter 9, a naive analysis - see the discussion 
in Chapter 9, Section 9.2.3 - would require that the number of repetitions MN/k\_Np~\ be 
at least k [ATp] in order for the distributions to be close. This would force M > N which is 
incompatible with the earlier condition N = Q (2^"M) . 

7.2.1 Proof of Lemma 5 

We now prove Lemma 5. Notice that this lemma applies to any step function 
on 5i with minimal interval 1 - we do not require that the function be periodic. We are 
taking the Fourier transform of this function evaluated on the fixed interval ±M/2 and 
allowing the spacing of the evaluations to become finer and finer. The resulting distribu- 
tions/superpositions approach a fixed limit which is concentrated within small multiples of 
zbM/2. Intuitively this is because allowing the evaluations' spacing to become finer while 
the step function remains fixed does not add any large Fourier coefficients - these correspond 
to functions which vary rapidly and our step function is appearing increasingly smooth. For 
our purposes it suffices to prove the following Lemma about the tails of these distributions. 
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Lemma 5. Let f be an integral-valued step function on 3fi with minimal step size > 1. Let 
Vmn be the distribution on the integers in ±MN/2 induced by sampling 



\^ i&±MN/2 ) 



Then for all k dividing N 



PrxeVMN (kl > k'M) = 0{l/k). 



Proof. Fix any A; dividing N. Let 



and 



\a') 



ie±MN/2 



^ ie±Mk/2 j&±N/2k 



We claim that |||a) — |a')|p = 0{l/k). This squared distance is just twice the 
fraction of pairs {i,j) for which f{i/k) ^ f{i/k + j/N). Since \j\ < N/2k this can only be 
true for when i/k\s within l/2fc of either end of an interval. Since the intervals have length 
at least 1 this occurs for at most a fraction of the i and likewise for the pairs {i,j). 

Now, the behavior of FmnW) is easy to analyze. Its amplitude at \x)\c) is 

/ \ 



1 



E E 



a;. 



MN ^ ^ 

i£±Mk/2 je±N/2k 
f(i/k)=c 



1 



V 



i^±Mkl2 
f(i/k)=c 



k 
N 



E 



MN 



(7.3) 



je±N/2k 



The RHS of Equation 7.3 is easily seen to be the product of the amplitude of 



'Mk 



/Mk 



ie±Mk/2 . 
f{i/k)=c I 



(7.4) 
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at \x mod Mk) and the amplitude of 



(7.5) 



at \x). The amphtudes in Superposition 7.5 fall off away from zero like 1/x while the 
amplitudes in Superposition 7.4 just keep repeating in blocks of size Mk. This will allow us 
to show that their product also falls off quickly away from zero. In particular, Observation 2, 
Section 9.2.5 gives us that the amplitude of Fmn (-^iv/fel^)) 1-^) most 



VMk-^. 

For convenience we let |/?) denote the Superposition 7.4, that is 

/ \ 



(7.6) 



ie±Mk/2 



Mk 



7^ E K 

/Mk ^-^ 

\ f{i/k)=c I 



Then we can use (7.6) to bound the sum of the amplitudes squared of Fmn\o^) in the tth 
block of size Mk by 



i6±Mfc/2 



2Mk 








tMk 



In other words the probability falls off as with the ith block of size Mk. Thus the 
probability of being larger than k'^M is 0{l/k). 

Combining the closeness of |a) and \a') with this falloff of FmnW) gives the 
desired result. □ 



7.2.2 Proofs of Lemmas 6 and 7 

We now prove two easy lemmas which allow us to use results from the previous 
Chapters about functions with integral period. 
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Lemma 6. Let f be an integral-valued step function on ^ with minimal step size > 1 and 
period p G 3ft. Then for any t 



1 



MN 



^ \i)f{i/N)- ^ \i)\f{pi/Np + t)) 



' NpJ 



This squared distance is just twice the probability that f{i/N) ^ f{pi/Np + t). 
Since for all i 



i pi 




ti 


= 


ftM\ 


N Np + t 




N{Np + 1) 


\¥p) 



in order for the function values to differ, i/N must be within 0{tM/Np) of the end of a 
step interval. Since the intervals have length at least 1 this applies to at most a 0{tM/Np) 
fraction of the i. 

Lemma 7. Let f € Ci/^(^n) be an integral-valued step function on 3? with minimal step size 
> 1 and period p < 2". Then any rescaling of f, f{tx) which has integral period at least 
4:d{n)p is in Ci/2d(n) ui^hen regarded as a function on Z (See Definition 4, Section 6.1.) 

Let f{tx) be any rescaling of / with integral period pt > 4d(n)p. Suppose f{tx) ^ 
Ci/2d{n) ^ function over Z. Then there exists a function g with integral period pg < pt 
so that f{tx) and g differ on less than a l/2d(n) fraction of the inputs in [0,pg ■ pt]. We 
can turn g into a function on 3ft with period pg by letting its value at a non-integral input 
correspond to its value at the nearest integer. The distance between f{tx) and g when 
regarded as functions on 3ft is small. In particular, since f{tx) has been rescaled to have 
step intervals of size at least 4d(n), they are identical at at least a 1 — l/2d(n) — 2/4d(n) 
fraction of the values, leading to a distance of at most l/d{n). Our original function / 
and the function g{x/t) have the same distance, with the latter function's period equal to 
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Pg/t < pf, a contradiction to our assumption that / G Ci/rf(„). 
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Chapter 8 

Hidden Subgroups over the Reals 
and MA 

8.1 Quantum vs. Classical Complexity Classes 

A primary method for delineating the power of quantum computation is by com- 
parison with various classical complexity classes. The Arthur-Merlin hierarchy [2] of probabilistically- 
checkable interactive proofs provides a natural backdrop for measuring quantum complexity. 
First, due to the inherently probabilistic nature of quantum computation, this hierarchy is 
a more natural choice than PH as a basis for comparison. In addition, problems like Graph 
Isomorphism which have defied classification as iVP-complete are considered the most plau- 
sible candidates for possessing efficient quantum algorithms achieving exponential advantage 
over classical computation. These problems also tend to have non-trivial characterizations 
in the AM hierarchy - for instance, Graph Isomorphism is known to be in Co — AM. 



95 

Unlike PH, the Arthur-Merlin hierarchy is known not to be strict. In particular, 
MA C AM and any constant number of rounds of interaction can be reduced to AM C 112 
[2]. However, allowing polynomially many rounds of interaction yields all of PS PACE - 
this is the well-known result IP = PS PACE [30]. While it may be possible to show directly 
that BQP lies inside a particular level of the Arthur-Merlin hierarchy, results showing that 
BQP lies outside a level of the hierarchy can only be given in the relativized or oracle 
setting. In particular, since it is known that P C BQP C P# C PSPACE a direct result 
of this sort would prove P ^ PSPACE, one of the nasty, long-standing open problems in 
complexity. 

There is an oracle O separating BQP from MA, that is, for which BQP'-' 2 MA'-' . 
This was first claimed in [6] but the first proof was given in [37] via a different oracle. This 
also implies a separation between BQP and MA U Co — MA due to the fact that BQP 
is closed under complementation. An open and intriguing question is whether there exists 
an oracle separating BQP from AM. There has been speculation that BQP is actually 
contained in AM. This is due to the fact that AM can perform an approximate count of 
the number the accepting paths of an A^P-machine. The proof that BQP C P# relies on 
the fact that exact counts of this form are sufficient to solve any problem in BQP and it has 
been conjectured that approximate counting might also be sufficient. An oracle separation 
of BQP from AM would be an indication to the contrary. In addition it would show that 
any proof of BQP C AM must use non-relativizing techniques, in contrast to the result 
BQP C P*. 

We exhibit two oracle promise problems which achieve the weaker separation 
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BQP^ % MA^. The first of these promise problems is just a decision version of Simon's 
problem (Section 2.2) and its virtue Hes in being much simpler than the oracles of [6] and 
[37] - the proof that it is outside of MA is almost trivial. We also give a simple variant 
of this problem which is in BQP by the results of Chapter 6 but which we suspect to be 
outside of AM, in other words, a candidate for the stronger separation result discussed 
above. 

The second problem which separates BQP from MA is the decision version of 
period-finding over 3?, shown to have an efficient quantum solution in Chapter 7. We 
observe that the analogous problem over the integers is in MA, and thus demonstrate that 
period-finding over the reals is more difficult than its integral counterpart. This may also 
support the current state of knowledge about the relationship between factoring and Pell's 
equation. There is a reduction from factoring, which can be reduced to period-finding over 
the integers, to Pell's equation, which can be reduced to period-finding over the reals, but 
no reduction in the opposite direction exists. 

8.2 MA 

We take for our definition of MA a version with one-sided error which has been 
shown to be equivalent (see for example [38]) to the standard definition given in [2]: 

Definition 8. A promise problem V is in MA if and only if for all sufficiently large polyno- 
mials q there is a polynomial r and a predicate R computable in deterministic polynomial- 
time with access to f such that 

f eyn — >^xe S«('*)Vy G S'^(")i?-^(x,y) = 1 
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and 



< 



2-2q(n)2r(n) ^ 



The following Lemma is implicit in the literature and is useful in proving lower 
bounds related to MA. For a given predicate R and a pair of strings x G S^(") and y G S''^'*) , 
we say that two oracles / and g are equivalent under R{x,y), or / ^ji(^x,y) 9j if runs of 
Rf {x, y) and R^{x, y) produce identical oracle query/answer transcripts. Then we have the 
following: 

Lemma 8. // a promise problem V G MA via R then for all n there exists an oracle f & yn 
and strings and x G S^^") and y G E''^") such that 

PrgeNn (g ^R{x,y) /) ^ ^-lip) (g 1) 

We give a proof of Lemma 8 in Section 8.3.2. As an easy application we give a 
proof that the following decision version of Simon's problem (Section 2.2) is outside of MA. 

Promise Problem 1. MBS(No Bit-string) 

f : {Z2T ^ {Z^r is I -I. 
A/"n. / : (-^2)" — ^ (■^2)" is 2— 1 and there exists some b such that for all x, f{x) = f{x®b). 

MBS ^ MA. It is easy to see that |3;„| = 2"! and 

2"! 



(2n - 2"-i)!' 

Take any f E yn and strings x,y and look at the transcript of R^{x,y). We can assume 
without loss that all such transcripts contain exactly t oracle queries, where t is bounded 
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by the polynomial run-time of R. The number of functions in g E yn such that g '^R{x,y) f i 
that is, which induce an oracle transcript identical to /'s, is exactly (2" — t)\. The number 
of oracles g G Mn with g ^R{x,y) f is at least 



(2^* - 



(2" - 2"-!)! 

because at most t{t + l)/2 hidden bit strings have been ruled out by the t oracle queries. 
Thus we get that 



PrgeAfn {g ^R{x,y) f) > 



^ (2"-2"-i)! ^ 



while 

(2" — ty. 

Prgeyu {g ^R{x,y) f) = — — ■ 
For all oracles / and strings x, y the ratio (8.1) of these two quantities is thus at least 

on f2 

'-^ = m 

since t is bounded by a polynomial. Thus we have MBS MA. □ 

Since MBS G BQP via Simon's algorithm (modified slightly to answer the appro- 
priate decision problem) , a routine diagonalization procedure - see for example [37] - gives 
the oracle separation result BQP'-' 2 MA'-^ . 

There is an easy protocol showing that MBS G AM - the verifier chooses a value 
y £ (-^2)" from the possible range of / and the prover provides an a; G (■^2)"' with the 
verifier accepting iff f{x) = y. It is easy to see that the prover can convince the verifier 
with probability 1 if / G 3^ and with probability at most 1/2 otherwise. This is a simple 
example of an approximate counting protocol - in this case the size of the range of / is 
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being estimated. Notice that the protocol actually distinguishes between arbitrary 1 — 1 
and 2 — 1 functions from (-^2)" to (-^2)" and has nothing to do with the hidden bit-string 
structure of the M functions. 

8.3 Period-finding over ^ is outside of MA 

We now prove that the period-finding problem over R, for which an efficient quan- 
tum algorithm was given in Chapter 7, is not in MA. In particular we show this for a 
decision version of the period-finding problem which corresponds to learning the leading bit 
of the period. 

Promise Problem 2. (Period-finding over ?R.) 

yn-' / G is a step function on 3ft with average interval > 1 and period p < 2" satisfying 
2'^ <p< 2"^+^ . 

A/'n* f & is a step function on 3? with average interval > 1 and period p < 2" which 
does not satisfy 2"^ < p < 2"^+^ . 

Theorem 8. 

MA 

The fact that this problem is outside of MA supports the intuition that period- 
finding over the reals is more difficult than over the integers. In particular, the analogous 
decision problem over Z, 

Promise Problem 3. VZ (Period-finding over Z) 
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^n' / € Ci/3 is a function on Z with integral period p < 2" satisfying 2"* < p < 2"*+^. 
A/'n- f E Ci/^ is a function on Z with integral period p < 2^ which does not satisfy 2"* < 

is in MA. In this case a proof that f G yn could consist of the period p, the 
prime factorization of p, and primaUty certificates for each of these prime factors. If / is 
one-to-one on its period we can test this proof deterministically (and thus this restricted 
problem is in NP). We would first verify the factorization of p and the validity of the 
primality certificates - see [26] for the proof that PRIMES G NP. Then we check that 
f{x) = f{x + p) for an arbitrary choice of x. This insures that the claimed p is a multiple 
of the period. Finally, for each prime pi in the factorization of p we verify that for an 
arbitrarily chosen x, f{x) ^ f{x+p/pi). This test, which can be done efficiently since there 
are at most n such primes, rules out any p which is a proper multiple of the true period. 
After this verification that p is in fact the period we accept iff 2"* < p < 2"*+^. 

For a general / G C1/3 we need merely randomize the function checks in the above 
proof, accepting if f{x) = f{x + p) for a randomly chosen x and if for each i f{x) ^ 
f{x +p/pi) with significant probability. This gives a probabilistic check of the above proof 
and establishes that VZ G MA. 

We now show that MA. The proof is based on the fact that, while in the 
integral case there is a short proof to rule out any multiple of the period, such a proof does 
not exist when the period is allowed to be rational. In the integral case we can check the 
function at < n pairs of points p/pi apart, one for each prime pi in the factorization of p, and 
ensure that none of the potentially exponentially many proper divisors of p is the period. 
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In the real case to ensure that the function has period p we must rule out all rationals p/k, 
k < p as possible periods. There is no similar polynomially sized set of points which can 
accomplish this check, even probabilistically. 

^ MA. We first describe the restricted distributions of y and M oracles which we will 
use. Picking the correct restriction of the original promise problem is half the battle - 
one must find a restriction which is fairly structured in order to count the oracles, but too 
much structure invariably reduces the problem to the integral version which does have an 
MA proof system. 

We first fix the parameter m so that 2™ is superpolynomial in n. Then let {pi, i G 
/} be the set of primes satisfying 1 < < 2^ and note that, by the Prime Number 
Theorem, |/| is also superpolynomial in n. Finally, let 

N = kllpi 

for some integer k. 

Definition 9 {y and A/"). Our y functions all have period 2"* and are specified in the 
following manner. We choose 2"* — 1 values uniformly at random in the set 

[0,2'"] n { fractions with denominator N}. 

These are the endpoints of the step intervals of the function. We then choose a value in 
{1, . . . , 2"*} for each of our steps in such a way that the function is 1 — \ modulo its step 
intervals. Finally, we discard any function which has maximal step interval at least 2"^/^ . 
The number of such functions is 
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minus the functions discarded for having too long an interval. The fraction of functions 
thus discarded is very small - the probability of having an interval of length at least 2"*/^ is 
less than 



2^^' I 1 - 1 < 2"^e-2^ 



2™-l 

2=r^y 

and we shall be able to ignore it in our calculations. 

We now turn to our J\f functions. For each i E I Mi will be a collection of 
functions with period ^ . We define the functions on their period in an manner similar to 
the y functions. We choose [^J — 1 values uniformly at random in the set 



2m- 

0,— 

. Pi . 



n { fractions with denominator N}. 



These are the endpoints of the step intervals of the function. We then choose a value in 
{1, . . . ,2*"} for each of our steps in such a way that the function is 1 — 1 on its period 
modulo the step intervals. Again we discard the very small fraction of functions which have 
maximal step interval at least 2*"/^ . The number of such functions is 



omi / N — 

^ • ' Pi 



2 

T- 

-£Z\ _ 1 



(2™-Lfj)iVLfJ 

minus the small fraction of functions discarded for having too long an interval. Again these 
form such a small fraction of the total that we can effectively ignore them. Finally, we 
shall be interested in the class J\f which is a weighted union of the Mi,i G /, with each Mi 
reweighted to have an equal number of functions. 

We note that the y and M oracles defined above are in fact a subclass of the 
original promise problem V^. Clearly they have period less than 2" and average interval 
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at least 1. The fact that they are in C1/3 follows from the cap on the length of the maximal 
step interval together with the fact that they are 1 — 1 modulo their steps. 

Let R{x, y) be any deterministic predicate which runs in time t{n) and purports 
to yield an MA proof system for with parameters q{n) and r{n). Then clearly R{x,y) 
also yields an MA proof system for the y and M oracles defined above with the same 
parameters. We can further assume that on this restricted problem all oracle queries are 
made on inputs in the interval [0, 2"*] by interpreting the original queries (mod 2^). 

Recall the equivalence relation ^R{x,y) defined in Section 8.2. The following 
lemma is the main technical result establishing our theorem and is proved in Section 8.3.1: 

Lemma 9. There is a constant c > such that for all sufficiently large n, f E y, i E I, 

and strings x G T,i^"-^ and y G S''^"') 

Prgey {9 -R(x,y) f) 

unless the transcript ofR^{x,y) includes a pair of oracle inputs {u,v) satisfying 

nm nm 

k 2"»/3 <- ^ _ ^ < ^_ + 2™/3, (8.3) 

Pi Pi 

for some integer k satisfying \k\ < pi. 

Informally this says that R can only distinguish between the y oracles which have 
period 2"* and the Mi oracles with period 2'^/pi if it actually queries a pair of intervals 
which are a multiple of 2™/pj apart and thus rules out the possibility of a Mi oracle. 

We now turn to the question of distinguishing y oracles from the full collection of 
M oracles. The idea is that a successful MA proof would have to rule out the possibility 
that f E Mi for almost alH G / and thus examine the function on pairs {u, v) of the above 
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form for almost all i E I, but this requires making exponentially many oracle queries in 
polynomial-time! 

We first claim that any pair of queries {u,v) to the oracle can satisfy Equation 
(8.3) for at most n of the i G I. Suppose {u, v) satisfies Equation (8.3) for the prime p and 
the integer k. Then in order for it to also satisfy the same equation for another prime pi 
we must have 



which implies 



p 

p Pi 



Pi 



< 



< 



2m/3+l 



(2W4)2 ■ 

By our choice of p, pi < 2"*/^ these fractions must therefore be exactly equal, oi k = Ippi 
for some integer I. Since < 2" it can have at most n distinct prime factors and thus 
Equation (8.3) can be satisfied simultaneously for at most n of the i G /. 
We now show that for all / G ^ and for all x, y, 



Prg&y [g ^R{x,y) /) 



0(1) 



This will establish the result since it is a violation of Lemma 8. Now, 

PrgeM {g ^R{x,y) f) _ \{g ^J^\f ^R{x,y) g}\ |3^| 



Prgey {g --R{x,y) f) \^\ \{g^y\f--R{x,y)g}\ 

J:ia\{9^m-R(x,y)g}\ \y\ 



= E 



E.e/IA/'.I \{g^y\f-^R(x,y)g}\ 

\{9 eAfilf ^R^^,y) g}\ \y\ 



\i\ m 



\{g ^y\f ^R{x,y) g}\ 



1 PrgeM, (g ^R{x,y) f) 
^ |/| Prgey {g ^R{x,y) f) 



(8.4) 
(8.5) 
(8.6) 

(8.7) 
(8.8) 
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where the second to the last equation follows from the fact that the Mi have been given 
equal weights. By throwing out the at most nt^ i G / for which pairs of queries satisfying 
Equation (8.3) have been made, and applying the bound in Lemma 9 to the rest we have 
that the above quantity is 



i<\I\-nfi 

where the last equality follows from the fact that |/| is superpolynomial in n. This completes 
the proof. □ 

8.3.1 Proof of Lemma 9 

Lemma 9. There is a constant c > such that for all sufficiently large n, f & y, i E I, 
and strings x G E«(") and y e S^^") 

''^^^^^^is-ni^,v)f) > , (8.9) 
Prgey [9 ^R{x,y) f) 

unless the transcript of R^{x,y) includes a pair of oracle inputs {u,v) satisfying 

k 2"'/'^<u-v<k — + 2"/3^ (8.10) 

Pi Pi 

for some integer \k\ < Pi- 

We first define an equivalence relation on our functions which is a refinement of 
'^R(x,y) ■ We let f^g if both / ^R{^x,y) 9 o-i^d the at most t step intervals queried on a run 
of {x, y) are identical on their endpoints. In other words, not only the values of the steps 
which are queried but also the steps themselves are identical. This is clearly a refinement 
of 

^R{x,y) ^'^d thus it suffices to prove the above lemma with ^ji(^x,y) replaced by ~. 
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Fix any f E y, i E I, and strings x G S^^") and y G E''^"'^ We can assume 
without loss of generality that exactly t intervals are queried on any run, where t = t{n) 
is the run-time of R. Let T denote the total length of the step intervals which are queried 
in R'f {x,y) - note that T < tl'"'!^ since no interval is longer than 2™/'^. The number of y 
functions g for which f ^ g is 

P"._t)!(''^<2"'-r)Y 

minus the exponentially small fraction of these functions which have maximal interval 
greater than 2"*/^. 

Now, if none of these t intervals overlap when they are mapped back (mod 2'^/pi) 
to the interval [0, 2'"/pj], and this is the case when Equation (8.10) is not satisfied by any 
pair of queries, then the number of Af functions g for which f ^ g is 

(2'" - ty. / N(^-T) \ 
(2"-Lfj)!Ufl-2«-l^' 

minus the small fraction of these functions which have maximal interval greater than 2"*/^ . 

Here we also use the fact that iV is a multiple of pi for each i e I. This ensures that 

the endpoints of the original intervals interpreted (mod 2"^ /pi) are valid choices for the Ni 

oracles. 

By cancelling all the factorials in the ratio in question, 

Ar(2 T) . 

L Pi I 

where the approximation reflects the fact that we have thrown out an exponentially small 
fraction from each class for having too large a maximal interval. At this point it is easy to 
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see that this can be ignored. Since we are free to choose N = k^lj^^jPi as large as we want 
we use the fact that when A'' is sufficiently large (^) « ^ to conclude that Equation 8.3.1 
is approximately 



(lfl-l)!(2".-2t-l)i {N^^f (jv. 



\2'"-l 



0- 



(Lfl-2t-l)!(2--l)! (iVf)^^^"' (^'^ 



,2"»-2t-l 



(l 2"') 



y \2"'-2t-l 



(8.11) 



The first ratio in Equation 8.3.1 can be seen to approach p^"^* as n (and thus m) goes to 
infinity by canceUing terms in the factorials. In a similar manner the second ratio can be 
seen to approach We now proceed to show that the third ratio is approaches 1 and the 



Lemma follows. We can rewrite this ratio as 



1 



2™/rpj 



fi-^V 



e-2t-l 



"/T ) 



-2t-l 



where e=|— 1 — — <l/2. Now the second of these ratios has numerator and denominator 
both close to 1 since t « 2^ /Tpi. Thus we can ignore this ratio and focus on the first. 

We use the fact that the expression (1 — 1/n)" converges to e"^ with error 0(l/n) 
to conclude that the ratio 



( 1 

2m IT J 



2"! 
T 



is within 0{Tpi/2™') of 1. Finally since 



T << 



Tpi 



this ratio raised to the Tth power is still very close to 1 and the result follows. 
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8.3.2 Proof of Lemma 8 

Lemma 8. // a promise problem V G MA via R then for all n there exists an oracle f E yn 

and strings and x G S'^^") and y G S*"*^") such that 

Pi-geyn {9 ^R{x,y) f) 

Proof. Since there are 2^^"^ possible proof strings x there exists at least one such string 
which serves as a valid proof for at least a 2"^^"^ fraction of the oracles. Fix any such proof 
X. We have that 

Vy G \{g G y\R<^ix,y) = 1}| > 2-'i^^^\y\, 

and thus 

j,gSr-(n) 

If Equation 8.3.2 is violated for all /, x, and y then by viewing each set {g G 
J\f\R^{x,y) = 1} as a union of ^R[x,y) equivalence classes we have that for all y 

\{geM\R<^{x,y) = 1}\ > 2-^(") \{g G y\R'{x,y) = 1}\ M. 

Putting these together we get that 

^ \{g G Af\R>^ix,y) = l}\ = Yl \{y ^ y) = 1}| > 2-'i(^^ \Af\2<^\ 

But this implies that there exists a. g e J\f such that 

|{y|i?^'(x,y) = l}|>2-2^(")2'-("), 

contradicting the definition of MA. □ 
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Chapter 9 

Fourier Transform Theorems 

In this chapter we estabhsh the technical results leading to the QFT Algorithm 3 
and the Fourier Sampling Algorithms 4 and 5. First prove a version of the Fourier Sampling 
Lemma 9 ([16], [20]) and show how this leads to a simple algorithm for approximating the 
QFT over an arbitrary cyclic group. While this technique, like the quantum chirp-z method 
of Section 3.3, can only be used to replace a finite number of QFT's in a given computation, 
it may be of independent interest. Also, the proofs of Theorems 10 and 11 which lead 
directly to the highly efficient Algorithms 3 and 4 rely on an elaboration of the techniques 
used in this earlier lemma. 

9.1 Fourier Sampling Lemma 

In this section we prove a relationship between the Fourier transforms over different 
moduli of a fixed vector. In particular, let \v) = X^j<jv t>e a unit vector and let \v) and 
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l^^) be its Fourier transforms mod N and M respectively, where M > N} 

We exhibit a subvector of \v'^') whose direction is a good approximation to |i))'s 
whenever M is sufficiently large. In particular, let / denote the integer nearest with 
ties broken by some standard convention. Let {v'^')' be the subvector of \v'^') consisting of 



the entries indexed by integers / renormalized by \/ jf- That is. 



IM 



^ ) = V AT z^vl-^^- 



Then the L2 distance between the vector \v) and \v'^)' becomes arbitrarily small as M is 
increased relative to A'". The fact that this is true for M = ri(iV^/^) is almost trivial, but 
we show that this is already true for M = Q,{N\ogN). This exponential improvement in 
the ratio ^ is crucial for the quantum applications discussed in Section 9.1.1. 



First, it is easily seen that for M = ^2 



Ar3/2 



, \v) and |{;*^)' are e-close in L2 norm. 



The square of the L2 distance between the vectors \v) and \v'^y is given by 



j<N 



j<N 



^ \ " ij ^ \ ^ i 



i<N 



i<N 



N ^ 



j<N 



i<N 



i<N 



N 



j<N 



M . 



i<N 



^ El 

j<N \i<N 



J- -'^M 



where 6j = f - <1 



We first use the fact that since \iSj\ < N, 



1 , 



N 
^ M' 



^We interpret \v} as a unit vector of length M with entries greater than N uniformly equal to zero. 



Ill 

and then apply the inequahty 

\ui\ < vn 

i<N 

which holds for any unit vector \u), to obtain 




from which the claim follows. 

However, this relationship cannot be exploited easily in the quantum setting. In 
short, in order for \v'^)' to be a good approximation to l^), M must be chosen so that the 
ratio ^ is exponentially large. But then the desired subvector of is an exponentially 
small fraction of the whole of \v'^) and cannot efficiently be recovered. 

But this relationship actually holds for much smaller M. In particular, we show 
that that it holds for M = f2 ^ N\ogN ^ ^ exponential improvement in the ratio ^. 

Theorem 9. Given any unit vector \v) = '}2i<N'"i\^) 

III-) -I- )\\=o[-^)- 

A version of this theorem which referred only to the distributions induced by l^) 
and \v'^y first appeared in [16]. The proof was later simplified, and the bounds improved, 
in [20]. The proof given in Section 9.1.3 is based on this simplification. 
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9.1.1 Application: An Approximate QFT over an Arbitrary Modulus N 

We give a simple algorithm for an approximate QFT over an arbitrary modulus 
based on Theorem 9. This algorithm suffers from the same drawbacks as the chirp-z method 
discussed in Section 3.3, namely it only succeeds with inverse polynomial probability and 
thus can only be used to replace a constant number of QFT's in a given quantum pro- 
cedure. However, the number of repetitions required to achieve an e approximation with 
high probability is now linear rather than quadratic in 0(i). Furthermore the algorithm 
is extremely simple. We note that this is particularly true in the Fourier Sampling setting, 
that is, if the transform to be approximated occurs as the last step in a quantum algorithm 
with only the distribution induced by the final superposition being of interest. In this case 
measurement can take place immediately following Step 1 and the rounding procedure can 
be accomplished classically. This gives us an very short quantum subroutine, but one which 
must be repeated many times for the required result, a trade-off which may be very desirable 
when decoherence is taken into account. 



Let A'' and e be given. Choose M = Q 




Algorithm 8. Input: \a) 



1. Transform \a) over Zm-' 



a) 



FmIo) 



2. Ifx= l^i] map 



x)|0) 
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3. Measure the second register. 

If al is measured in the second register which occurs with probability j^^, then we output 
the successful approximate QFT. 

The correctness of this procedure follows directly from our theorem. If a 1 is 
measured in the second register then we have collapsed to a superposition in the direction 
of 

j<N 

By our Theorem the vector is e-close to the desired 

j<N 



Moreover, since 



is approximately a unit vector, 




j<N 



j<N 

and the success probability is also correct. 



M|2 ^ N_ 



9.1.2 Two Claims 

To prove Theorem 9 we first examine the special case when the initial vector 1^) 
is an element of the Fourier basis mod N, in other words 



i<N 



The Fourier transform over A'^ of |j) is just the standard basis vector \j), i.e. a pointmass 
at j. We let j'^ denote the Fourier transform over M of \j) and the subvector of 
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at entries of the form i' = [^^] renormalized by in keeping with our earher notation. 
The vector is a smeared pointmass concentrated near / and the entries of satisfy 
the following: 



Claim 2. 



Claim 3. For k ^ j, 



■ Ml I 



\3k 



< 



1 N 



where \x\ 



N 



\k-j\NM 
X mod AT ifO<x mod AT < f 
—X mod N otherwise 
These claims are proved in Section 9.1.4. They yield a version of our main theorem 
in the special case that \v) is a Fourier basis vector: 

Observation 1. If \v) = \j) is an element of the Fourier basis mod N and M = CI (y) , 

then 

II I ~\ I *M \ /II , 

\\\v) — \v ) II < e. 

We leave the proof of Observation 1 to the reader. This Observation does not 
lead directly to our Theorem 9. In particular if we try to extend it linearly to allow for an 
arbitrary vector \v) we are forced to choose M = ft{^^^) to achieve a bound of e - the 
argument is that of Section 9.1 now expressed in the Fourier rather than the standard basis. 
Fortunately, a more careful examiniation of Claim 3 gives us crucial information about the 
structure of the error vectors 

\j)-\ry 

which will allow us to conclude our theorem. 
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9.1.3 Proof of Theorem 9 



We wish to bound the quantity 



\v} — \v ) ' 



j<N 



E 

i<iV 



E*.(b-)-r)'), 

j<N 



(9.1) 



This is the squared length of the vector which results from applying the matrix 
with ijth entry (jj) — to the unit vector \v), in other words the best bound on this 

expression is exactly the squared operator norm of this matrix. By Claims 2 and 3 we have 



(u)-r)'). 



< TT 



N 
M 



and for i ^ j 



\j)-\ry\\< 



N 



\i-j\NM 

It suffices, then, to bound the squared operator norm of the matrix A with 



A. 



1 N 



iii = j 



otherwise 



\i-j\NM 

This N X N matrix has the property that each row is the shift by one (modA?^) of 
the previous row, i.e. Aij = ^i+i mod Ar,j+i mod at, and all its entries are nonnegative reals. 
Because of this shift property - such a matrix is commonly referred to as circulant - its 
eigenvalues are all of the form Yli<N ^N^ij ^'^^ some integer k. Moreover since the entries 
Aij are nonnegative reals the maximum eigenvalue is found by setting k = 0, corresponding 
to an eigenvector with all equal entries. This maximum eigenvalue is precisely the operator 
norm of A and can be found by taking the sum of any row of the matrix. Using the fact 
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that 5^j<jv T ~ log AT we have the sum of a row is O ^ ^'^^ ^ and thus 



\v)-\v''y\\=o 



M 



(9.2) 



which estabhshes our theorem. 



9.1.4 Proofs of Claims 2 and 3 



We now prove Claims 2 and 3. 



Proof of Claim 2. To establish 



we note that 



1 — ?i < TT — 

I -"J I - M 



1" ^IZ^at'^'^m 



i<N 



AT 



i<N 



(9.3) 
(9.4) 
(9.5) 



where e = j' — < 1/2 This quantity is easily seen to be less than the arclength 27re^ 



and the claim follows. 



□ 



Proof of Claim 3. We now establish that for k ^ j, 



where Ixl^v = < 



I -^'1 < 1 ^ 

I - \k-j\NM 



X mod AT if < X mod N <f 



-X mod N otherwise. 
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I -M/ I 



i<N 



i<N 



N ^ 



N 



N 



- 1 



where e = k' — < 1/2. The numerator 



(9.6) 
(9.7) 
(9.8) 

(9.9) 

is at most the arclength 



27r^e < TT^ and the denominator 



directly to the claimed bound. 



CO 



AT ^ 



IS 



at least ^"l'"^^^^!" > leading 



□ 



9.2 Fourier Transform Theorems 

In this section we establish the technical results leading to Algorithms 3 and 4. In 
particular, we prove a relationship between the transform \v) over of a given vector \v) 
and the transform over M > N, not of that same vector \v) (as in previous Section), but of 
a vector consisting of many repetitions of \v). By repeating the vector \v) many times and 
transforming over a large M we get a vector with not just one length N subvector whose 
renormalization approximates \v) (as in the previous Section) but a vector for which most 
length N subvectors have this property. Analogous to the previous section, the fact that this 
is true when \v) is repeated ^1{N) times is easy to prove but we show, via an amplification 
of the circulant argument of Section 9.1.3, that this holds when the number of repetitions is 
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only 0{log^ N). This improvement is responsible for the improved efficiency of Algorithms 
3 and 4 over earlier methods and is also used crucially in the proof of Theorem 7. 

More formally, let \v) = Yli<N arbitrary unit vector, and let \w) be the 

unit vector consisting of R repetitions of \v), that is 

j<Ri<N 

Then we can establish a strong relationship between the vectors \v) and \w'^) for sufficiently 
large R and M. Recall from the previous section that i' denotes the integer nearest i. 

Theorem 10. Let \v) and {w) be as above. Then for any M > RN there is a vector 
\u) = X^|^|<_M_ so that 



i<N 



ARN 8 log 



M 

where = X]|(|<_m ut\i' + 1) is the vector \u) with indices shifted by i! . 

This theorem forms the basis for the Fourier Transform algorithm of Section 5.1. 
By measuring the offset from the nearest i', the superposition YIiikn collapses exactly 

to the desired \v). This property approximately holds for the superposition \w'^) (which 
we can generate) by virtue of its closeness to X]i<Ar^il^)* • 

As a byproduct of the proof of Theorem 10 we get a related theorem which is 
useful in the Fourier Sampling setting, that is, in the case where we are concerned with the 
distribution induced by the final superposition. We let T)\v) be the probability distribution 
on the set {0, ...A — 1} induced by measuring \v) and T^^^m-^ be the distribution on the 
same set induced by measuring \w^) and interpreting integers within M/2N of i' as i. 
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More formally, 



and 

|2 



l*l<^ 

Then we can prove the following theorem: 

Theorem 11. Let \v) and \w) be as above. Then for any M > NR 

'logiV' 



< o 



Notice that in order to make these distributions close we need only make sure that 
R is sufficiently large and then M can be taken to be any integer greater than RN. 

9.2.1 Proof of Theorem 10 

First note that the Fourier transform over RN of 

j<Ri<N 



IS 



\w) = J2vi\Ri). (9.10) 

i<N 

Recall that we are trying to show that there exists some vector \u) supported on the integers 
in the interval (— ^) such that \w'^^) is close to a vector of the form 

i<N 

where is the vector \u) with indices shifted by i' = [^i]. In the case that M = RN 
Equation (9.10) immediately yields our theorem with the vector \u) = |0) and no error at 
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all. For a general M > RN 



i<N 



We let = FmFj^^{\R{)) and thus 



\w 



' \ \ ^ * I -M \ 



i<N 



The are neither supported on the intervals — ^ji' + ^) nor the shifts by i' of a 
fixed vector, but we show that for sufficiently large R and M these conditions approximately 
hold. 

To this end we define \bi) (for "bump") to be the vector restricted to the 
integers in the open interval (i' — + an interval which we denote by (i'). We let 

\ti) (for "tail") be the rest of Thus the \ti) are supported on the indices outside of {i') 
and we have \ti) = — Note also that 



\w 



i<N i<N i<N 

Finally, let |6o)*' be the vector \bo) shifted by i' . Our aim will be to show that |6o) is our 
candidate for |n), in other words that 



\w 



i<N i<N i<N 



We first bound ||X]j<jv^«l*2)||' then show that each is very close to |6o)*'- Since the |6i)'s 
have disjoint support the closeness of the vectors follows. More formally, we will prove the 
following two claims: 



Claim 4. 



i<N 



\w ) 



Vi\bi) 



i<N 



< 



SlogiV 

Vr 



(9.11) 
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Claim 4 states that making R large (i.e. increasing the number of repetitions of 

\v)) reduces the effect of these tails. 

Claim 5. Let |6o)*' be the superposition \bo) shifted by i! . Then 

ARN 



< 



M 



Prom Claim 5 and the fact that the have disjoint supports, 

4RN 



i<N i<N 



< 



M 



Combining this with Claim 4 via the triangle inequahty we have, 



w 



')-j2vi\bor' 

i<N 



4RN SlogiV 
< 1 — 



as desired. 



(9.12) 



9.2.2 Proof of Theorem 1 1 

In this case we wish to show that the distribution T)\jj) on {0, ...,N — 1} induced 
by sampling \v) and the distribution 'D^^m^ on {0, ...,A'' — 1} induced by sampling \w'^) 
and interpreting integers within M/2N units of i' as i, are close. The closeness of these 
distributions turns out to fohow from Claim 4 alone, allowing us to drop the dependence of 
the error on the ratio M/RN. In particular, as long as R is sufficiently large, any M > RN 
will do. 



Let 



d{i) = \vif {bi\bi). 



Then d is the sub-distribution induced by measuring the (generally sub-unit length) super- 
position J2i<N'"i\bi) ^^'^ interpreting integers within M/2N units of i' as i. By Claim 4 we 
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have 



from which it follows that 



Now, 



and 



i<N 



< 



SlogiV 



O 



log AT 



i<N 



l-{bi\bi) = {ti\ti) = 



R 



by applying Claim 4 to the vector \v) = The result then follows from the triangle 
inequality. 



9.2.3 Proof of Claim 4 

Proof. In order to bound ||X]i<jv we will use the following observation which estab- 

lishes that the amplitudes in fall off quickly away from i' . Recall that \ti) is identical 
to the superposition except that it is missing all the amplitudes at j G {i') where {i') is 
the interval {i' — + Thus this falloff applies to the \ti) as well. This Observation 
is closely related to Claim 3 of the previous Section and it proof is in Section 9.2.5. 



Observation 2. 



1 1 



MVRN 



k<RN 



M 



< 



M 



RN\j- 4i\ 
W N \m 



where \x\m = < 



xmodM i/0 < X mod M < M/2 
—X mod M otherwise 
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We now use this to bound ||X^i<jv^i|*i)||- We first note that Observation 2 can be 
used to show that = O i^^^^^- ^ naive analysis of the quantity ||X^j<jv '^il^i) || ~ 

the discussion in Section 9.1 - would then give a bound of O ( ) . Instead we achieve an 



R 

improved bound by a more complex version of the circulant argument of Section 9.1.3. The 
first equality below is by the definition of \ti] and the second is by the above observation: 



i<N 



j<M 



- ^ RN \ ^ 



M „ 



j<M K nHm 

This expression is almost maximized by taking the Vi = 1/VN for all i. In par- 
ticular, the expression can be bounded by four times its value at this vector. The proof of 
this fact is in Section 9.2.4 and is the heart of the Theorem. It is proved by an extension of 
the circulant argument used in Theorem 9. 



y Vi\ti) 

i<N 



< 



16M 



V L 



3<M \i,j<^{i') l-^ Af Im 



Using the fact that the smallest denominator \j — is at least ^ and the 

rest are spaced out by ^ we have 



(9.13) 



M 



E 



1 2Ariog7V 



M 



M 



Therefore 



\w 



y^ vi\ti 



< 



i<N 



i<N 



'AogN 



as desired. 



(9.14) 
□ 
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9.2.4 Proof of Bound in Claim 4 
Claim 6. For any unit vector \x) and M > 8N 

E 



E 

j<M 



Xi 



2 

^ ^ I ^ 1 



j<M \i<N,3^{i') N^\M 



Proof. The left hand side of Equation (9.15) is at most the squared operator norm of the 
M X N matrix A with entries 



Aji — < 



ifjG(i') 



1 



otherwise 



Note that our matrix is positive and has the property that each row is comprised 
of samples of the same underlying function but with the samples shifted by ^ from one 
row to the next. We argued in Section 9.1.3 that the operator norm of any positive N x N 
matrix with the property that each row is the shift by one mod N of the previous row is 
found by applying the matrix to the unit vector with entries uniformly equal to 

Now, while our rectangular matrix is obviously not of this form, by reindexing and 
changing the denominators of the entries only slightly - so that a fixed set of integral t can 
be used - the expression becomes 



\M.k-i-f - M,-L, 

t€±M. k<N \i<N,i^k I JV ^ ^ JV 

Notice that the matrix giving rise to each of the double sums indexed by k and i 
in this new expression is N x N and has the properties discussed previously - the entries 
depend only on the quantity {k — i) mod N. Thus each individual sum, and therefore the 
entire sum is maximized by choosing the entries of Xi to be equal. 
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Finally, we can relate to our original expression as follows: we added at 

most ±1 to the denominators of our original matrix entries. Since these denominators were 
all larger than ^ > 4 this at most doubled/halved the squared sums of the entries. Thus 
we have: 

1 ^ WAxW^ ^ 2 

2 - pxP - 

Finally, we use this to bound the squared operator norm of A. Let xq maximize 
Then for any x we have \\Ax\\'^ < 2\\Ax\\'^ < 2||Axo|P < 4||ylxo|p. Thus our expression is 
bounded by four times it's value at the unit vector with entries uniformly equal to as 
claimed. □ 

9.2.5 Proof of Observation 2 



Proof. Recall that 



\i'')=FMF^I,\Ri) 



We have 



M-lB.N-1 
i i \ ^ \ ^ I. (J L 



MVRN 



^ ^ RN-l 



MVRN 



k=0 



j=0 k=0 



1 1 



mVrn 



1 _ ^RNj/M 



1 — UJ^M N ' 



where the second equality applies the formula for geometric series. Then since 



-, (J L) 

and |1 - u^^^/^\ < 2, we have 



1 J'-^'^' 



> 



M 



M 

7 i 



\ -M \ ^ 



M 



RN \j - §i 



as claimed. 



□ 
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9.2.6 Proof of Claim 5 



Proof. We first note that to show that the restricted "bump" vectors are close, that is, 



< 



ARN 

IT 



it suffices to show that the corresponding full vectors |0^) and satisfy the same bound, 
that is 



< 



ARN 



But recalling that = FmFj^^IRi) and using the fact that Fm is unitary we have 



E 

j<RN 



=L0 



j<RN 



where 6i = i' — M^i. But since j only goes up to RN, 



M 



< 



ARN 



and thus 



j<RN 



1 



Vrn 

j<RN 



URNy 



2 



N 



as desired. 



□ 
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